$100k Bug Bounty Program
- Build a wider community of experts with knowledge of the protocol
- Encourage regular and pro-active auditing of the code by 3rd parties
- Define a bounty process to and reward structure to give clarity of what can be earnt
How will the bug bounty process work?
We’ve summarised below the key elements of the Haven Protocol Reporting Process:
- What constitutes a qualifying issue
- How issues should be reported
- How issues will be processed
- The bounty reward structure
What constitutes a qualifying issue?
|1||Minor UX/UI bugs or issues that would otherwise cause little damage to the network or issues for users|
|2||Network or infrastructure bugs or issues that if not resolved could lead to security, stability or service reliability issues. May not be time sensitive.|
|3||Network or infrastructure bugs or issues that could result in the theft of coins from users wallets, invalid data on chain, fee manipulation or invalid tx.|
|4||Time sensitive critical network or infrastructure bugs or issues that if left unresolved would likely lead to a large scale network outage and/or illegal minting of coins that cause inflation.|
This bounty program applies to any issue found in a latest release branch/tag, or a HEAD of master or develop branch of the following Github repositories.
In addition, non-critical (band 1) issues could be found in
Any other reported issues, outside of the above definitions will be considered on their impact on the project and rewarded accordingly.
How to report an issue
Critical or time-sensitive issues should be reported via email to all recipients on the list below. In the case of sensitive details that could be used to hack or sabotage the network, please use PGP encryption. Public key:
----BEGIN PGP PUBLIC KEY BLOCK----- Version: BCPG C# v18.104.22.168 mQENBGFRonEBCACQ19Qm3jgcbGl6sckFcANrrVcHzlhooFVKWdem/aLZ7e5hmZYS 1jhGTinuGnMNn2KDsMjYZWO5vGdB+IkRK2XxKtFUkj9Ip/kA7wDoAX5RUiNA1TOy qTK7vuIwHV6AvrQx0vC492acxWpbVK2S8T5pkYHTaz7LwZMbcKcGgw8K5k0JrNRX Tho4ZYd17Lrinl6O9xG7Sq+a9cw6Yi2xTi5A7nrTlgrQT6yLrTU4q91P+YBsPCEc BYSp7sWoc0A2fssrAHXQvHAu1tjIBpMbFkAc6Zo4i4QRb3QZfMdOff/dY3YIWJeA Cth0fyUQog9l2VXdoK+giPAVkwi6YvtgYqb9ABEBAAG0FmJ1Z3NAaGF2ZW5wcm90 b2NvbC5vcmeJARwEEAECAAYFAmFRonEACgkQaKVP4GAdnU+g1Af8DrxJHozMCMdN bn1osfwgCO5lt9iKk06S6XNnaoZhB4luamNE/aJxwyqFwZ+YvkPPO1+aanXDth/t 6vihPUrXTGQZVz8oCZWm8G1rmbwtaphh5kmFsV1STKe3TNv8anb9JuX2liEOCpjS Uk2VEmAreZMrThoXA7L0ST9XV/iw5IyvOFK9jMXj/0nPGUYMvF7FahnbGhepLBCG Vy2TiVgiHwMqAehPtqpLcZgeilL4+REq6hy8JruD0wq9kntnQlGuDUzRLSeiRC1E hAxRjfU+uWHzmtl8P2evEKv7BXP8mr97/ipbA4WWI4w9z7NoJJgDIkVKuejnhgcz iCh5G0hKfA== =EH5K -----END PGP PUBLIC KEY BLOCK-----
Send emails to: email@example.com
These emails are forwarded automatically to key members of the core team.
Non critical issues
As long as there is no risk to the network, non-critical issues can be reported to core team members via direct message in our usual comms channels:
Please bear in mind that issues reported via Github may be publically viewable and should not be used for critical bugs unless done so privately:
In a case where more than one person reports an identical issue, the first one to report it in the correct format will be considered for the bounty reward.
Where an issue is reported in collaboration with another person then the reward will be split according to the joint wishes of those involved.
Where a person reports an issue that is already known, a bounty reward will not be payable.
How issues will be processed?
Once logged, all issues will be processed by either the project lead, project manager or protocol lead and assigned to the relevant person/s for investigation.
Where the issue is determined to be serious enough there will be a meeting called for all core team members (response team) to coordinate a response.
Bounty payments will be within 30 days.
Bounty reward structure
The structure outlined here is to provide a level of transparency for bounty payments.
Due to the complexity of the code and infrastructure involved, there will be occasions when payments may fall outside of the bands listed above.
The submission quality will be a factor in the level of considered compensation.
Please include the following in your submission:
- Description of the issue
- Description of the issue’s potential security impact
- The affected resource. e.g. URL, GitHub code snippet, transaction type etc
- Any other relevant information
NOTE: Please do not disclose any found issues to anyone, in any form, outside of the core team. This will give the project an appropriate time to respond. Disclosure to any third parties may disqualify bug bounty eligibility.
Responsible investigation and reporting include, but isn’t limited to, the following:
- Do not violate the privacy of other users, destroy data, etc.
- Do not defraud or harm the Haven Protocol network or its users during your research; you should make a good faith effort to not interrupt or degrade our services.
- Do not target the network’s security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
- The issue should only be reported to Haven core team members and not to anyone else.
- Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
- In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to the protocol or its users, otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
Bounty payments will be administered by the Haven Protocol Team and will be in xUSD. This allows for certainty of value for those reporting/fixing issues and benefits the project treasury by making budgeting and accounting a simpler process.
In the case of disputes with bounty payments, the response team shall determine the level (band) of severity.
Bounty payment bands
|Band||Lower Payments||Upper Payments|
Please note that the core developers/contributors will make the decision as to the eligibility of the bounty claim. This cannot be disputed and is final.
This is the first iteration of the Haven bug bounty program and as such will be reviewed regularly to ensure it remains fit for purpose.