Last year, we introduced a bug bounty program for the Status Network Token, turning to you, the Status community to help us discover vulnerabilities we might not have been aware of already. We had such a great response that, today, we’re expanding the scope of the program to cover two new areas of interest: transaction signing and account management code.
This includes the following:
- Key generation
- Key management
- Signing modifications to status-go (also patches on top of geth)
- UI related to signing transactions (DApps, /send command, wallet)
Compensation is correlated to threat level, and we’ll be using the OWASP risk assessment methodology to determine the bug’s level of threat.
For example:
- Low threats = up to $2,000 worth of ETH or SNT
- Medium threats = up to $10,000 worth of ETH or SNT
- High threats = up to $20,000 worth of ETH or SNT
- Critical threats = up to $50,000 worth of ETH or SNT
For a little context, a high threat might be discovering a way to trick a user to sign a transaction they didn’t intend to, whereas, a critical threat might be identifying an attack that could steal a user’s funds. Note that compensation is also correlated to the submission’s quality, and very high quality submissions may increase your reward beyond the amounts specified above. Take a look at the bottom of this post to understand what constitutes a high quality submission.
- Most of the rules of the Ethereum Bounty Program apply here
- All Status community members are eligible to participate, provided that they are not already paid auditors contracted by Status
- Issues that have already been submitted by another user, or that are already known to the team (such as these and these) are not eligible for bounty rewards
- Please make sure to give us a reasonable amount of time to investigate and mitigate an issue you report before making public any information about the report, or sharing such information with others
- Please also make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services
- Naturally, we also ask that you not exploit any security issue you uncover for any reason. This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.
All you have to do to participate is email your submission to us at security@status.im. You can also create an issue on Github, here for transaction signing issues, or here for account management code issues.
Note that a high quality submission should be as specific as you can be, and include the following:
- Quality of description. Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward. Please see the wiki and repos to learn more about our test suite in the official documentation.
- Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.
If you have any questions, feel free to ping us on our Riot or at security@status.im. Best of luck finding and helping us squash those bugs!