Status Network Token Bug Bounty (up to $50,000 per bug)
We are starting our bug bounty program for all contracts and software relevant for our upcoming Contribution Period.
Major bugs will be rewarded up to $25,000 (in BTC or ETH). Much higher rewards are possible (up to $50,000) in case of very severe vulnerabilities.
Most of the rules on https://bounty.ethereum.org apply. For example: First come, first serve. Issues that have already been submitted by another user or are already known (such as these) to the team are not eligible for bounty rewards.
The scope of our bug bounty program includes all contracts related to the Contribution Period and the Status Network Token code.
- This includes all contracts within: https://github.com/status-im/status-network-token/
As of this post, the bug bounty program is considered started and valid reports of bugs will be compensated moving forward. The bounty program will continue even after the token launch.
We are using the OWASP risk assessment methodology to determine the bug’s level of threat to the sale.
Note: Up to $100 USD
Low: Up to $2000 USD
Medium: Up to $10,000 USD
High: Up to $20,000 USD
Critical: Up to $50,000 USD
An attack identified that could steal raised funds would be considered a critical threat.
If there was a way for someone to spend more tokens than owned or to mint their own SNT, the bug would be considered a high threat.
Please note that the submission’s quality will factor into the level of compensation. A high quality submission includes an explanation of how the bug can be reproduced, a failing test case, and a fix that makes the test case pass. High quality submissions may be awarded amounts higher than the amounts specified above.
Note that bounties will be paid in ETH and paid auditors contracted by Status are not eligible for bounty compensation. If you find a bug, we can also offer the ability to participate in the Contribution Period, at the same rate as everyone else (10,000 SNT per 1 ETH).
Responsible Disclosure Policy
If you comply with the policies below when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report.
We ask that:
- You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
Email your submission to: [email protected]
You can also join http://slack.status.im/ and create an group chat with both @jarradhope and @carl. Sending an email is first is highly recommended.
Anonymous submissions are welcome.
If in doubt about other aspects of the bounty, most of the Ethereum Foundation bug bounty program rules will apply.