If you are able to donate and contribute to the Haven project, please click here. Thank you.
Bug Bounty Program
Program Objectives
- Build a wider community of experts with knowledge of the protocol
- Encourage regular and pro-active auditing of the code by 3rd parties
- Define a bounty process to and reward structure to give clarity of what can be earnt
How will the bug bounty process work?
We’ve summarised below the key elements of the Haven Protocol Reporting Process:
- What constitutes a qualifying issue
- How issues should be reported
- How issues will be processed
- The bounty reward structure
What constitutes a qualifying issue?
Band | Details |
1 | Minor UX/UI bugs or issues that would otherwise cause little damage to the network or issues for users |
2 | Network or infrastructure bugs or issues that if not resolved could lead to security, stability or service reliability issues. May not be time sensitive. |
3 | Network or infrastructure bugs or issues that could result in the theft of coins from users wallets, invalid data on chain, fee manipulation or invalid tx. |
4 | Time sensitive critical network or infrastructure bugs or issues that if left unresolved would likely lead to a large scale network outage and/or illegal minting of coins that cause inflation. |
This bounty program applies to any issue found in a latest release branch/tag, or a HEAD of master or develop branch of the following Github repositories.
- https://github.com/haven-protocol-org/haven-main
- https://github.com/haven-protocol-org/haven-web-core
- https://github.com/haven-protocol-org/haven-web-app
- https://github.com/haven-protocol-org/haven-web-cpp
- https://github.com/haven-protocol-org/node-cryptoforknote-util
In addition, non-critical (band 1) issues could be found in
https://github.com/haven-protocol-org/haven-blockchain-explorer
Any other reported issues, outside of the above definitions will be considered on their impact on the project and rewarded accordingly.
How to report an issue
Critical issues
Critical or time-sensitive issues should be reported via email to all recipients on the list below. In the case of sensitive details that could be used to hack or sabotage the network, please use PGP encryption. Public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBGNze50BCADkf+9L4jZPjZvkrUUT8sSZ7rR4Qj+QdgNEsbr4ldGxy0HvIMsJ
RZcCJu8mYGLo85Ix97+V7Qphp3cgePjs0AEVTFb00i9lhfTnIZacKCL9l3F2YGfU
iq2ZTidqS9n5bGReRaMzDWVjM2ig8W2TKwaj4k0kte6v5U56N/4rRCMFdcLDajhI
c4+6qQr+/nXjChUUB/MN+z8XTnBqB4QIZZV7NeNTZVvVfHrBFDH9Fl54CAhkFNkt
cU/s5nGiUZ9l7K7msaLEH/5GAkSRGhSgzGQ6pAWQKY4Q+XpO4TaStNNqIIQpL01Q
t2oJpAIXsbGMdpray3gm05XREBDSV77AdWHnABEBAAG0J0hhdmVuIFByb3RvY29s
IDxidWdzQGhhdmVucHJvdG9jb2wub3JnPokBUQQTAQgAOxYhBN4XXmeeN6kfHgRL
elqGSAO/r/eGBQJjc3udAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJ
EFqGSAO/r/eG5EsIAIcdibECi38p8hZH8M+Unyp+KFL/GGCUZsUTePEh2wTBlW4I
5q1vVSLCB1M/chB3onWMUUL7Zwo+sp+9ffvHXWg0vT4N49yZU4+oQVgnAJrQ+tN1
dI0tvOFvhROmC21inuZDnye9e+n5nNtXU+AtZRba3TjxEE8zynf0sUjGoWvDmECm
w3x+02pGVBw4rG5lBSnzLbCBjbR9pNjZ76e/qthD67SmoRt9+7sDK+d3Mct+iWeC
5H4NZ7oVEMGCzqB07iql/qwv/02mZyeWJyBsvPHuCzuxaqUw9n32v1dTFfC3G387
Uw6m9a1zKFCwHimlaofZ0rS8M33+lP4Z0wJorGu5AQ0EY3N7nQEIAKZO9ufsg+8P
1eGokMgvEqIB+yNk7vJh/UBB7MpJooaMGT7nMBIONwOeTX9ODt1iyGOEW8BfyldZ
HcFCnZJqe5d/t9NVNtWMoihqp2GS3d1b/S4WVKV14LYfaR0sC2V1TxFlhHhKXydM
AsJBjBvghT8AicWFlDSjhc0TzQG1zLzYBpN+G4SPZUhAJmOBKheUXrMtpOcRzTys
Ab1PPIRgl8muVpgUlNiMz5kVhhK45qp8OiOlrnWDQAHd3jamX2v/KLQRqcsdRN+U
HjyrSNiH8V7/VT66IuBe08KoIcZ9eOiaTbocN9xEbds208kt9LehbHQep809Vu9+
jZjOqbPCmS0AEQEAAYkBNgQYAQgAIBYhBN4XXmeeN6kfHgRLelqGSAO/r/eGBQJj
c3udAhsMAAoJEFqGSAO/r/eG4CYH/jNh5Va9xS2jGFp2nF38qMKt5cRdSF0+B7Az
YpM0q6OF4ESaVbT1F3AYndqj9xRXJrOAAYB/Y6likkoiZyR0s+7jMeCvxFRZ4LLM
uX/PfDyz7TSCP0Gpx5aAo30fcNz1WfDF1rEt40YtHm8NYoEdtWitoOP7pIWuKvto
smLYpK4qW/McI/cU7A5ZBEYuNR3k84Ca79bjxpAxY3oZDbAVr4jqPlJz86Kgt9/0
SKkquLBoXLG9+6/CKg7YsNKcak8X45JSWa/l5gq641Zx3H3K1uGwJ+UTm8aaObek
Jk7iZXWJuNJ3E9hsoMz7C7PLxmgRjOTdPxwof4OadFwfm+dpCFM=
=g/J8
-----END PGP PUBLIC KEY BLOCK-----
Send emails to: [email protected]
These emails are forwarded automatically to key members of the core team.
Non critical issues
As long as there is no risk to the network, non-critical issues can be reported to core team members via direct message in our usual comms channels:
Discord: https://discordapp.com/invite/CCtNxfG
Telegram: https://t.me/XHVHavenProtocol
Twitter: https://twitter.com/HavenXHV
GitHub
Please bear in mind that issues reported via Github may be publically viewable and should not be used for critical bugs unless done so privately:
https://github.com/haven-protocol-org
Multiple reports
In a case where more than one person reports an identical issue, the first one to report it in the correct format will be considered for the bounty reward.
Where an issue is reported in collaboration with another person then the reward will be split according to the joint wishes of those involved.
Known issues
Where a person reports an issue that is already known, a bounty reward will not be payable.
How issues will be processed?
Once logged, all issues will be processed by either the project lead, project manager or protocol lead and assigned to the relevant person/s for investigation.
Where the issue is determined to be serious enough there will be a meeting called for all core team members (response team) to coordinate a response.
Bounty payments will be within 30 days.
Bounty reward structure
The structure outlined here is to provide a level of transparency for bounty payments.
Due to the complexity of the code and infrastructure involved, there will be occasions when payments may fall outside of the bands listed above.
The submission quality will be a factor in the level of considered compensation.
Please include the following in your submission:
- Description of the issue
- Description of the issue’s potential security impact
- The affected resource. e.g. URL, GitHub code snippet, transaction type etc
- Any other relevant information
NOTE: Please do not disclose any found issues to anyone, in any form, outside of the core team. This will give the project an appropriate time to respond. Disclosure to any third parties may disqualify bug bounty eligibility.
Responsible investigation and reporting include, but isn’t limited to, the following:
- Do not violate the privacy of other users, destroy data, etc.
- Do not defraud or harm the Haven Protocol network or its users during your research; you should make a good faith effort to not interrupt or degrade our services.
- Do not target the network’s security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
- The issue should only be reported to Haven core team members and not to anyone else.
- Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
- In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to the protocol or its users, otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
Bounty payments will be administered by the Haven Protocol Team and will be in xUSD. This allows for certainty of value for those reporting/fixing issues and benefits the project treasury by making budgeting and accounting a simpler process.
In the case of disputes with bounty payments, the response team shall determine the level (band) of severity.
Bounty payment bands
Due to out project lacking in funds, it is not currently possible to pay bug bounties.
If you are willing to contribute to the project, we welcome it. Thank you.
Band | Lower Payments | Upper Payments |
1 | $0 | $0 |
2 | $0 | $0 |
3 | $0 | $0 |
4 | $0 | $0 |
Please note that the core developers/contributors will make the decision as to the eligibility of the bounty claim. This cannot be disputed and is final.
This is the first iteration of the Haven bug bounty program and as such will be reviewed regularly to ensure it remains fit for purpose.