Haven Protocol – $100,000 Bug Bounty Program

Context

Historically, the Haven Protocol team has used bug bounties on an adhoc basis to reward developers that flag critical issues. Following the June 2021 exploits, the team quickly announced an increase in the size of these bounties to incentivise more support.

Building on this further, we are now launching a more formal Bug Bounty Programme, to make it easier than ever for skilled developers to support the project and earn xUSD.

Programme Objectives

  • Build a wider community of experts with knowledge of the protocol 
  • Encourage regular and pro-active auditing of the code by 3rd parties
  • Define a bounty process to and reward structure to give clarity of what can be earnt

How will the bug bounty process work?

We’ve summarised below the key elements of the Haven Protocol Reporting Process:

  1. What constitutes a qualifying issue
  2. How issues should be reported
  3. How issues will be processed
  4. The bounty reward structure

What constitutes a qualifying issue?

BAND DETAILS
1 Minor UX/UI bugs or issues that would otherwise cause little damage to the network or issues for users
2 Network or infrastructure bugs or issues that if not resolved could lead to security, stability or service reliability issues. May not be time sensitive.
3 Network or infrastructure bugs or issues that could result in the theft of coins from users wallets, invalid data on chain, fee manipulation or invalid tx.
4 Time sensitive critical network or infrastructure bugs or issues that if left unresolved would likely lead to a large scale network outage and/or illegal minting of coins that cause inflation.

This bounty program applies to any issue found in a latest release branch/tag, or a HEAD of master or develop branch of the following Github repositories.

In addition, non-critical (band 1) issues could be found in 

https://github.com/haven-protocol-org/haven-blockchain-explorer

Any other reported issues, outside of the above definitions will be considered on their impact on the project and rewarded accordingly.

How to report an issue

Critical issues

Critical or time-sensitive issues should be reported via email to all recipients on the list below. In the case of sensitive details that could be used to hack or sabotage the network, please use PGP encryption. Public key:

----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mQENBGFRonEBCACQ19Qm3jgcbGl6sckFcANrrVcHzlhooFVKWdem/aLZ7e5hmZYS
1jhGTinuGnMNn2KDsMjYZWO5vGdB+IkRK2XxKtFUkj9Ip/kA7wDoAX5RUiNA1TOy
qTK7vuIwHV6AvrQx0vC492acxWpbVK2S8T5pkYHTaz7LwZMbcKcGgw8K5k0JrNRX
Tho4ZYd17Lrinl6O9xG7Sq+a9cw6Yi2xTi5A7nrTlgrQT6yLrTU4q91P+YBsPCEc
BYSp7sWoc0A2fssrAHXQvHAu1tjIBpMbFkAc6Zo4i4QRb3QZfMdOff/dY3YIWJeA
Cth0fyUQog9l2VXdoK+giPAVkwi6YvtgYqb9ABEBAAG0FmJ1Z3NAaGF2ZW5wcm90
b2NvbC5vcmeJARwEEAECAAYFAmFRonEACgkQaKVP4GAdnU+g1Af8DrxJHozMCMdN
bn1osfwgCO5lt9iKk06S6XNnaoZhB4luamNE/aJxwyqFwZ+YvkPPO1+aanXDth/t
6vihPUrXTGQZVz8oCZWm8G1rmbwtaphh5kmFsV1STKe3TNv8anb9JuX2liEOCpjS
Uk2VEmAreZMrThoXA7L0ST9XV/iw5IyvOFK9jMXj/0nPGUYMvF7FahnbGhepLBCG
Vy2TiVgiHwMqAehPtqpLcZgeilL4+REq6hy8JruD0wq9kntnQlGuDUzRLSeiRC1E
hAxRjfU+uWHzmtl8P2evEKv7BXP8mr97/ipbA4WWI4w9z7NoJJgDIkVKuejnhgcz
iCh5G0hKfA==
=EH5K

-----END PGP PUBLIC KEY BLOCK-----

Send emails to: bugs@havenprotocol.org

These emails are forwarded automatically to key members of the core team.

Non critical issues

As long as there is no risk to the network, non-critical issues can be reported to core team members via direct message in our usual comms channels:

Discord: https://discordapp.com/invite/CCtNxfG

Telegram: https://t.me/XHVHavenProtocol

Twitter: https://twitter.com/HavenXHV

GitHub


Please bear in mind that issues reported via Github may be publically viewable and should not be used for critical bugs unless done so privately:

https://github.com/haven-protocol-org

Multiple reports

In a case where more than one person reports an identical issue, the first one to report it in the correct format will be considered for the bounty reward. 

Where an issue is reported in collaboration with another person then the reward will be split according to the joint wishes of those involved.

Known issues

Where a person reports an issue that is already known, a bounty reward will not be payable.

How issues will be processed?

Once logged, all issues will be processed by either the project lead, project manager or protocol lead and assigned to the relevant person/s for investigation. 

Where the issue is determined to be serious enough there will be a meeting called for all core team members (response team) to coordinate a response.

Bounty payments will be within 30 days.

Bounty reward structure

The structure outlined here is to provide a level of transparency for bounty payments. 

Due to the complexity of the code and infrastructure involved, there will be occasions when payments may fall outside of the bands listed above. 

The submission quality will be a factor in the level of considered compensation.

Please include the following in your submission:

  • Description of the issue
  • Description of the issue’s potential security impact
  • The affected resource. e.g. URL, GitHub code snippet, transaction type etc
  • Any other relevant information

NOTE: Please do not disclose any found issues to anyone, in any form, outside of the core team. This will give the project an appropriate time to respond. Disclosure to any third parties may disqualify bug bounty eligibility.

Responsible investigation and reporting include, but isn’t limited to, the following:

  • Do not violate the privacy of other users, destroy data, etc.
  • Do not defraud or harm the Haven Protocol network or its users during your research; you should make a good faith effort to not interrupt or degrade our services.
  • Do not target the network’s security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
  • The issue should only be reported to Haven core team members and not to anyone else.
  • Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
  • In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to the protocol or its users, otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.

Bounty payments will be administered by the Haven Protocol Team and will be in xUSD. This allows for certainty of value for those reporting/fixing issues and benefits the project treasury by making budgeting and accounting a simpler process.

In the case of disputes with bounty payments, the response team shall determine the level (band) of severity.

Bounty payment bands

BAND LOWER PAYMENTS UPPER PAYMENTS  
1 $50 $500  
2 $1,000 $5,000  
3 $10,000 $50,000  
4 $25,000 $100,000  

Please note that the core team will make the decision as to the eligibility of the bounty claim. This can not be disputed and is final. 

This is the first iteration of the Haven Bug Bounty Programme. We are currently talking to various third-party bug bounty platforms.

en_GBEnglish (UK)