Ineligible domains and notes
- https://developers.deco.network is ineligible for rewards and is not part of the bug bounty program.
- https://bounty.deco.network is ineligible for rewards and is not part of the bug bounty program.
- Freshchat and any other third-party scripts on our websites are not eligible for rewards. Please do not attack or spam them.
- The s3 bucket named deco.network is publicly accessible. This is intentional as this s3 bucket hosts the website
- There is a .DS_store file located at deco.network that contains a directory listing of the above s3 bucket. This is not sensitive information.
- The marketing website is just a static website with no personal information. Please do not attack it.
Source Control (https://bountytarget.source.deco.network)
- This server is running a slightly-modified instance of Gitea, an open source project.
- You can see the source for gitea and it’s known issues here: https://github.com/go-gitea/gitea
- Any issues already reported to gitea are ineligible for our bug bounty.
- In addition, since this is not part of our own codebase, rewards for bugs found in this project are substantially lower than those found in our codebase.
API and Software License sales
- User uploads and tries to sell code that isn’t actually theirs
- User is violating copyright law and copyright holder can prosecute them if desired
- Token Curated Registry should eliminate this issue because there is monetary (token) incentive to find and challenge projects that plagiarize
- User uploads a project and then buys it from themselves to receive the token reward
- Token reward should be adjusted such that it’s exchangeable value is less than the tx fees to perform this attack.
- Listing the project costs about 200k gas
- Buying a module costs like 60k gas
- Token Curated Registry will also help with this because if the project is crappy quality it won’t get in
- User creates an API and tries to charge users for API calls they didn’t make
- API buyer has to approve amount that can be spent on a per-api basis (in wei per second) and it defaults to 0. So buyer can’t be charged unless they approve something manually
- User creates an API and it’s legit and people actually use it. But user lies about amount of API calls that are being made
- If API is hosted on our gateway, then we are doing the usage reporting, and if the user reports additional usage, we will see the discrepancy and cut off the API on our gateway
- If the API is not hosted on our gateway, then it’s the responsibility of the API consumer to verify that they are being charged the right amount. It’s all reported to the ETH chain so it’s transparent.
- User creates an API and it’s legit and people actually use it. But user suddenly jacks up the price per api call and users get charged a lot more than they expected.
- The reputation of the API will suffer and nobody will use it anymore. This attack can only be pulled off once
- In addition, our smart contract uses a two step process for charging users for API calls. We report the API calls usage amount which locks in the price per call. And then we do a “settle” operation that transfers the ETH from the buyer to the seller. The reporting happens frequently enough to make the window for which users can be charged the higher price very small.
AWS / ec2 instances
- Some of our ec2 instances have SSH open to the world. This is intentional.
- A lack of rate limiting is a known issue, and this is out of scope of the bug bounty program.
- On some servers, our OpenSSL version might not be the latest version. As long as the installed version isn’t vulnerable to a possible attack, reporting that our OpenSSL version is not current is not eligible. We may reward reports like this based on the severity of a possible attack, if one exists.
Main app (app.deco.network)
- When a user changes their password, they are logged out of app.deco.network but they are not logged out of source control at source.deco.network. The user must manually log out of source.deco.network if they wish.
- Checking whether a given username or email address is used in the app may be possible.