Decred Bug Bounty Program Released



    • Bug bounty program released

      Today we are kicking off the bug bounty program. We look forward to receiving some great reports from the community. Please read the rules and scope section before you start testing.

    Rules

    We ask that you respect the following rules and guidelines:

    • All bug reports need to have clear reproduction steps and/or proof of concept.

    • All bugs must be reproducible in the latest production release or the master branch of the code.

    • Bugs in old releases or feature branches are not in scope.

    • We prohibit denial of service attacks or network bandwidth load testing.

    • Unfortunately we are unable to pay for duplicate reports or reports of bugs which are already known.

    • Any type of public disclosure of the vulnerability without prior approval from the bug bounty program will make it ineligible for payout.

    • No social engineering.

    • No spamming.

    • All Current/Past (for up-to 6 months) Decred contractors are barred from taking part in this bug bounty program.

    • Vulnerability reports made before the start of the program will not be eligible for a bounty.

    • Do not attempt to attack or test on mainnet - the main Decred network. There is a completely seperate Decred testnetsimnet. Simnet runs on on your own local system, and has a low enough difficulty to mine blocks using only a CPU.

    Reminders

    • Almost all of Decred’s projects can be run locally and reproduction instruction are available on GitHub. We strongly recommend you to do this.

    • Always check the “issues” in GitHub of a project to avoid a duplicate report.

    • Decred project is not responsible for any loss of DCR due to bug testing.

    Payout

    We will be using the OWASP Risk Rating Methodology for assessing vulnerabilities and determining payout amount.

    We will also take into consideration the impact on the Decred ecosystem. An RCE in dcr-netstats (low impact) is not the same as an RCE in dcrd or Decrediton (higher impact).

    The following are also factors in the payout:

    • Quality of the initial writeup.

    • Quality of vulnerability reproduction steps and/or proof of concept.

    • If you provide a code fix for the vulnerability then you will also be eligible for a “code fix” bonus on the condition that our existing developers accept it as valid.

    All payouts will be in Decred only. You will be required to create and operate a Decred wallet. The DCR to USD ratio is based on the the average USD rate of the previous month. Payout amount is decided by a core “bug bounty” group.

    Indicative payout amounts

    Note: up to 300 USD

    Low: up to 1,000 USD

    Medium: up to 3,000 USD

    High: up to 10,000 USD

    Critical: up to 25,000 USD

    Scope

    Projects in scope :

    GitHub repoURL
    dcrwebhttps://decred.org
    politeiapoliteiaguihttps://proposals.decred.orgdcrdocshttps://docs.decred.orgdcrwebapihttps://api.decred.orgtestnetfaucethttps://faucet.decred.orgdcr-netstatshttps://stats.decred.orgdcrdata(latest stable release branch only)https://explorer.dcrdata.orgdcrtimehttps://time.decred.orgdcrd
    dcrwalletdecrediton
    atomicswapdcrstakepool

    The following are not in scope:

    The following vulnerabilities are generally out of scope:

    • Missing security best practices that do not directly lead to a vulnerability.
    • Insecure settings in non-sensitive cookies.
    • Vulnerabilities (including XSS) that affect only legacy browser/plugins.
    • Non-technical attacks such as social engineering, phishing, or physical attacks against our members, users, or infrastructure.
    • Missing HTTP headers, unless a vulnerability can be demonstrated.
    • Bugs requiring exceedingly unlikely user interaction.
    • Outdated software/library versions.
    • Clickjacking on pages with no sensitive actions.

    Submit Vulnerability

    Please follow a standard format when submitting vulnerabilities

    Title:
    Affected website or repository:
    Vulnerability Type:
    Details:
    Impact of Vulnerability:
    Reproduction or POC details:
    Fix:

    Email your bug report to bugbounty {[@]} decred.org

    Always use the below PGP key to encrypt the email. Failure to do so will reduce payout amount.

    Any supporting evidence (screenshots, videos, etc) should be attached to the email itself. Media files should be encrypted inside a .7z, .zip or .tar.gz file with a secure password that is included in the PGP encrypted email body. Hosting on external services may lead to disqualification.

    FingerPrint: D507 9E93 D0AF F567 DEF2 F6AC 6457 2029 21F7 0A78

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    mQINBFw+ARsBEADIOjL7OYHqhmEafUMFUIfc+9fOdu8WRXswDkyEtSInsuJcsNCd
    p6Ua8rKzA+yiaon27gB3LWnBHlL/P0FbeWhInPVcgPce1fQ3c4vKi3pT5Q6ooMeh
    b98n8EoccvuJCiYgpAmUG8m/oR7d3JpoF2u2pCQGHqduAOMZSKRJ4E8FW7XwOuH6
    YO/4n89FLX8kSa7aK+ptrn7lcj35hOwnPLW+MLlPVWOVqjfRc3U/mSM4Q5IA2l4S
    3vk4l6zoFj4676mW7wPAolAfR4IbUlP1WqgYhepz+7mTkDfh784t1xSXri8aVLr5
    vbP/QRnv17wlbtEjjQAujI36XiREGJ449vS37bOrkiRxyQWzedcVkrPZWOIZpTi4
    eEZahqir6+dpeLmQVWlKRrQdEIBG+v2eGDzRSWcD6vKwQJCcMqm5mZjOi93C0NSb
    b2Fg2bK5cLgM1mboX2C1i9e0aQGCF73Xyb6f4gxXXhgWzJZlSgvIFql5G4QxGB2T
    kohDcG+p2IoT27IF03n9SmCQnq0G/itTeWO9ukY5G3hUUqiH/heGnmB0JjmCQvqf
    tL7VKEb/LZm9Mh3Pih09RURGcMzwK8dPcM+86N1uUg+0nzYDgEmNsMfr7RKaJAc1
    VRetSFreGr//nQiguEBrZbDwiNFTbF9RpqRedm6RDy8U+JVedgF7N1Z5swARAQAB
    tChEZWNyZWQgQnVnIEJvdW50eSA8YnVnYm91bnR5QGRlY3JlZC5vcmc+iQI+BBMB
    AgAoBQJcPgEbAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBk
    VyApIfcKeIvgD/93O5J5kI1U5gMwmOCJEa5BHNxdu8Kb8i0W51o6qHWYUbCvGHHp
    lI96lmCOLUfWckk9GVmNZDPSph42b7NNlrZldfz1aTK7dSWArsYbo8Q61sdxfGxj
    hsF67JMLyUNBIrmJVRbrwB1myL34wMEpMZ7P7tNflZ1J7H4irjDBIMF2clZB36Vq
    9aDSMfO2wxeXbwn7gKl7+tZ6/E6FrjNJdmudWEr/Kc1nk62zf9TKucyO65MCtfut
    7IJjPvxdXSZHQdpRKU4HFUDIuSqNtMowAKWh7T0vApDCarlJvHojqw9B5iIUIX8z
    sgNaZTAnjDyX4uvmn62BRHmWxBhNQOJokeDxV6TOSUs1T/AMamAS4W8iXqlPMVUb
    yK1zjeFdxGtb78NRlKlkYzGJ+hNneKkkUtGkbkKdnhgQH9scQYdBV6Clvbqk7Fxv
    nQyDVVhrAl2b46mdXdz+AsyFKNLDxxuJupGMR1OnFQLYM/QtdW+tNe1qnnrK41Qn
    TiGGEH+KjQaB3G7GgtytUzJP8L4kIAcgMzIJ4gyJBjBKtxGffGZeRiq8fjJHjebq
    CXlLAe3Mk0iUdFzhoMSvFp0lHQfxVR8FG+e0Di1n/KXXHx1RqpL78IEEfk7FoVi6
    Xeyp4Tb1TeH8Ee6xkYxGD8Ee3X/O4OF32bR9OkLTod3Cq41lbQN4CUUYV7kCDQRc
    PgEbARAAxRGa5hGt3PtV57iob6OvpNhjckX6Yq9tDErDs78woAck/U69xM3hBmMg
    VCcNRECJ3iXlGyi6xq6mhliAPRmfI/iGFPW1o1m9u8tvvT3xwROZehpkog4S0MzM
    NJMOG0juKE8iEezAMiw2ocQ+Km5l8El4DPhte8dzpkH6DlyyNJUEVQhptcrtWno5
    dNDZNcHm+VtM6DBbUwzB+pQ6t/woZMK1PLNKb9xZsfQ1OZttsmsoReybBMho8dYq
    7pkr9RL9p9iRNT9qSTKVGssw74IwL8FYPKAccBcyycftJEA5qM5fzzsrsudcme0H
    50//TdNiHbMTzISQD7qz+DpVaVxZWPbTpFa7wpo6M/sDlZ1wgdVCQJVhYpspKqe+
    mMGP9N0RCXboDcYKAqYxgNX9RCWoUcAwON2dWSpWSiUA5x8/tWSMHiNUwVKmoRd7
    IinbZrW1ENWb1ObVxfIt7CTzzm835BAaBhdGNni42a/7JvfCeCpBjXbYAFeT2gbS
    qr4P2nfgONPalKTmbvrvqWGGJ5yDaQ9LjtIBsPBZJN3oz9OMJ5rwLXrXTCRjn4Qw
    cMrdTTCH8n1lBh73iCHuO85fxRRj3EtKs4n8ozXrYfAdk+cpAYOLBsP9fT7IMdNO
    iqjW7PIEHiJjCVJIIuloSQG7roDUuf+v4OcFf79fCncdPlLmnU0AEQEAAYkCJQQY
    AQIADwUCXD4BGwIbDAUJCWYBgAAKCRBkVyApIfcKeIfaEACiZGGojLuJ/Qx99bux
    3agWrss3+9P25J3yGb1gGYUhQce6Xg+DjI3O/j0J6PcQsaoCzxvZhD/BwJinxzfL
    0BKT8ekPXgjXgzmx9V+wXTjknLpjFZnMPwhwUMzLMwOYeVuEl5ZmEgxzc6nW/KQI
    sRnTvpc1DoJIeGDgXEOQKpwKWfRQhO8NBz9jM132rQCEQJv1eGRWQWe74LBtE+VF
    Zo+6J69AsnSubP76HnHbnAl/3qtOVn0SluCjGm5Bx9hp4s+Ugsv9/sZ8lutGWOgY
    aOxx+h9729xv9VDq5VekNcvhBJNuW9jLw+ueuhGRvFXaOuefys4nsMmjKnA76RrC
    Aso/brtjUj/Z1St63uqi89TNq2ulnVRPIkLqqMbNejxqFJTeedp1cfxh+StCqG/1
    yKnkeZIDKucPzy34t8Fi+wZR4fdlwUyCKDYvkSykGAM2Yo1Tfwv7opa4AKmKZu3V
    oYXaXT0o/3cW4VwLRF5cqkhSXh2OQcFQUcOAUp18LziRo/gyLB9ocoH0x49kMDUx
    KKXyCQYCwgv0UxWxezIeBimvLTsVW23VagWBbEUchHnsM4RU2XDWqynvalGZzkGH
    JxTNQDpJOx6n6Fa9X0YTzEFBqihhrXeprdeEaUQff95iCPw1ykUt2tqJ7boOEWJO
    62zcU+ErhAu2l/JJNs1LMq+Bf7kCDQRcPgGFARAAr/R7HyZyvgs90ZCTgD4rS1yj
    +ExqCNxTbmJoZksEs5ShNrLVwHLQWTd4S2dA2vPifLzTV8Fd5kn509V7/oyCKOC6
    GfwvBbEctPAJ4JskNpE++tYDl/voB9FeoPNKdSK3cntCw12NBlAXCN1FKDnkzrdI
    DPlmzkKWjvncZy8GBwkxtMSHkiCyBG/WmjYM7e/AVgRnnAWVMOeGaeU59/kmXPzy
    CmtdaV0ZAXo/OsZ6Fz+1IiFfkOpyEJ1S1U8+46dx4Y21siVXrurhrPpF98F2wJ0m
    f/va6ayq+LiFLphezVq41DuX3XTfyBhs5PqYcE9nya73aiPHeCNplAz+NuP5axA1
    JOD0nXDBhAmWny5Jx5qcVQS3AtKv/BwZHizRSYFZog3gyD3Nc0X44DomlTNE3lOP
    eC/85GRYCDWt6IX3yXlA3t8Zk0Gk2KHOiNI+t7Cg/CWq0Gj2aelq+MbyK2G+L4aK
    7MpQiAXs/WHeS48IgyzdOBua0rjAOaNCpNHw8ZClafgIdxMnBVmq9mH4cXZBzAZk
    0OOkYKMaiu7SiJV1XrdJPzUPsbRMbyoNnFdaOleJj64wq8ClFQhLoPFH9RP78Pwe
    TkUC7SXwUOclnSR84uk/wzURcwf+QUEnpP02NptKQ4jLKgakSmHWcacCU0jPBcA1
    81BOc5cnTIPBajXvS7cAEQEAAYkERAQYAQIADwUCXD4BhQIbAgUJCWYBgAIpCRBk
    VyApIfcKeMFdIAQZAQIABgUCXD4BhQAKCRAtkBirFF6+rpauD/9qVWkw5XEpyllF
    ihTysTTUOtTwYBOuHne1L2ZUFNeyYz9J/QH941mYQNOASe3yEC98hMR75FHW9MM/
    0gp67VMPIWpg4lcIpFA8xFKXsoy49OFy/SKzfV5aW1j/QE7GF4ynRHffPaMEH9uP
    y94M0GM+vwlOiOIo3dMHygltt3v52xhnOJrs84qjyI7QwBMXVR6PEu7wTZVXY8Ze
    nZF2DWc02fR7+Aizcuxh8mFxb0fOIPd2Z7blZOxsMDFbPDvYPSR3LkiMxjpixiEk
    qpil9rl5k/ZBfKxYGkuVRuAZANjoxRPB2J6Ua7fAmAPU7gkWhbcTI4y/jvdjRX98
    JRSFvmFE15L/GrGiHX3fuYpsNUjmzJFIpXfM0D2UJri/56uGzR5eNiedKzU+7TXH
    12ZiYafAJVi0x5zQwon/GiVuPuSrgwDnB2i0vfF0ywBhMqAcYkcKrhXsEgNvNkRp
    HX+7bzu1F3HfTm3htaWKcibjqEI+05WLuT6kgIHdMJ55IzT4iNvxX+74E9/Jhn52
    Y4asBeSEUOBFRCHLL0dBkhI5puPtl4Bj1b9HDmW8ovrKVoL3yH8tpcmwM0yRtIQK
    h50W1df6wh5dPuAJkSbmMVgpi0kIORYq70oE5DEx1fgpyauaeqwlw6wsKi91sAJl
    Sy3b7DusgDEpBGY2a6kUVNgJTuCfD2QHD/9vZDD2KA6h6pSgtQ2D5ugk72vAZQdl
    IqcLXY/wPmvkjvd2C2M8SeitX8MOb87hmvttxmwmyAwIHdhZfSI8/qvd71DtIYOF
    tAeM3pODsQNxZLdnzla/Tvr2tw1/pln6VsN/UpbE7xFbQ3Hsc/l2IPaaBNbLoHK4
    MVs3zNCm4Zu8xCmL4R4cUI1wWPiEnXetStA5ukqfe13ZUTBc+NxvcAiy5FzfjgSi
    /yYGnnd1dpo5/z9gbR30fChK0TpeXhI25mGWmWH9O9foLZtAUI8P54NkEIg7Tg+6
    dEpYLzKFAfRaBMrYWmTLHTdkqWN1Qm0+1c0m6b7rQQnVIrnvmZ14vvn++fxamGBS
    BwrvjP+kI8FXfKGMFnPjcDzUl0IwajsiIWo4RmUVMxiEyLqzDbjcWqbCGXMshXP+
    /uoe1WIqPYdidDgR1SGe8uv8By3boNIDr8OwR+Pve3dBGctxMMEoL9T+xQckJ5du
    v8qxU45QG6F1shdW/jW4naz8MS7CTyrNEstYhqwV8utClsJjuv/RTCxwr+KcKreo
    azGiaVhcoDDradOeJ4TirW7R+0pTunlLb4hxpj8aGa8LC6ut2I6QrR12QByrqJmj
    qg5eltq7pMaPJqOdCZpsNcqGz08f0TR/t6cQK8eny3Y7VSBtMRxT0MmCC3I6g76f
    bWDBwFGxHlME1g==
    =32FW
    -----END PGP PUBLIC KEY BLOCK-----


Looks like your connection to Cryptocentral was lost, please wait while we try to reconnect.