Deconet Bug Bounty
The Deconet Bug Bounty Program provides bounties for bugs. We call on our community and all bug bounty hunters to help identify bugs in our smart contracts and dApps. Earn rewards for finding vulnerabilities. See Rules & Rewards section for details.
Over $2,000 paid out in bug bounties so far!
Please follow the rules below to earn your reward
- Issues that have already been submitted by another user or are already known to the Deconet team are not eligible for bounty rewards. A list of known issues and ineligible domains can be found here
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- You should start a private instance of our smart contracts for bug hunting on a testnet or private chain. Please respect the Deconet mainnet contracts and refrain from attacking them. With respect to our backend systems, we provide sandboxed instances for you to attack, with URLs listed below.
- Deconet's core development team, employees and all other people paid by the Deconet project, directly or indirectly, are not eligible for rewards.
- Deconet bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Deconet.
The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood :
Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Deconet bug bounty panel.
- Critical: up to 2 500 points
- High: up to 1 000 points
- Medium: up to 500 points
- Low: up to 250 points
- Note: up to 50 points
1 point currently corresponds to 1 USD (payable in ETH, BTC, or DCO), something which may change without prior notice.
In addition to Severity, other variables are also considered when the Deconet bug bounty panel decides the score, including (but not limited to):
- Quality of description. Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
- Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.
Please note that bugs in our Source Control website may pay a smaller reward than bugs found in our main infrastructure. This is because our Source Control website is running an open source project called Gitea that we did not develop, and we want to incentivize attacking the infrastructure we've created.
Important Legal Information
The bug bounty program is an experimental and discretionary rewards program for our active Deconet community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Deconet bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.
The Deconet bug bounty program encompasses our whole system, including our smart contracts, our dApps, our backend systems, and the general architecture of how our systems work. Details on the scope follow:
Protocol and system architecture security
The idea for Deconet was initially published in the Whitepaper. This concept has been realized via our Ethereum smart contracts and dApp system, which are up for scrutiny:
- The numerous smart contracts as found in the smart contract repo.
- This repo contains the smart contracts for our payment splitting system, which are also eligible for bounty rewards
Help identify flaws in the smart contracts, relating to:
- Conceptual security issues in the specification of the Deconet system and smart contracts.
- Misaligned / unintended economic incentives and game theoretic flaws.
- Bad tests or unforseen / untested cases or scenarios.
dApp and other Client implementation security
Assuming that the smart contracts and system architecture are flawless, does one of our dApp client implementations contain security issues? Issues could include:
- No / bad validations of contract inputs
- Operations that exceed the privileges of a standard user
- Operations on behalf of another user
- Acessing data of another user or that exceeds the privileges of the a standard user
- Issues related to external libraries used.
- Data type overflow / wrap around, e.g. integer overflow.
- Panics or not properly handled errors.
- Concurrency, e.g. synchronization, state, races.
We ask that you please not attack the production instances of our web apps, and instead have put up identical sandboxed instances for you to audit, listed below:
- Main web app: https://deconet-bountytarget.herokuapp.com/
- Our source control (a gitea instance): https://bountytarget.source.deco.network
Additionally, please do not bother auditing https://deco.network as it's a static marketing site with no backend.
- Our smart contract repo
- Payment splitting smart contract repo
- Our dApp (prod instance, please do not attack)
- Blog post on how API selling works
- Blog post on how the different smart contracts work
- dApp help page
- Our community on Telegram
- A list of known issues and domains that are ineligible for the bounty
Frequently Asked Questions
Is the bug bounty program time limited?
No end date is currently set. Any changes will be posted here, on this page, so check back for updates.
How are bounties paid out?
Rewards are paid out in ETH or BTC after the submission has been validated, usually a few days later. Local laws require us to ask for proof of your identity. In addition, we will need your ETH/BTC address.
Can I donate my reward to charity?
Yes. We can donate your reward to an established charitable organization of your choice.
I reported an issue / vulnerability but have not received a response!
We aim to respond to submissions as fast as possible, but it may 5-7 days for us to investigate your issue and send a reply. Feel free to email us if you have not received a response in more than 7 days.
I want to be anonymous
Submitting anonymously or with a pseudonym is OK, but will make you ineligible for ETH/BTC rewards. To be eligible for ETH/BTC rewards, we require your real name and a proof of your identity. Donating your bounty to a charity doesn’t require your identity.
Please let us know if you do not want your name/nick displayed on a future leader board.
I have more questions.
Email us at firstname.lastname@example.org.
Disclaimer: This bug bounty website was heavily copied from the Ethereum bug bounty program website at https://bounty.ethereum.org. Thanks to the Ethereum Foundation for running an exemplary bug bounty program!