Historically, the Haven Protocol team has used bug bounties on an adhoc basis to reward developers that flag critical issues. Following the June 2021 exploits, the team quickly announced an increase in the size of these bounties to incentivise more support.
Building on this further, we are now launching a more formal Bug Bounty Programme, to make it easier than ever for skilled developers to support the project and earn xUSD.
We’ve summarised below the key elements of the Haven Protocol Reporting Process:
|1||Minor UX/UI bugs or issues that would otherwise cause little damage to the network or issues for users|
|2||Network or infrastructure bugs or issues that if not resolved could lead to security, stability or service reliability issues. May not be time sensitive.|
|3||Network or infrastructure bugs or issues that could result in the theft of coins from users wallets, invalid data on chain, fee manipulation or invalid tx.|
|4||Time sensitive critical network or infrastructure bugs or issues that if left unresolved would likely lead to a large scale network outage and/or illegal minting of coins that cause inflation.|
This bounty program applies to any issue found in a latest release branch/tag, or a HEAD of master or develop branch of the following Github repositories.
In addition, non-critical (band 1) issues could be found in
Any other reported issues, outside of the above definitions will be considered on their impact on the project and rewarded accordingly.
Critical or time-sensitive issues should be reported via email to all recipients on the list below. In the case of sensitive details that could be used to hack or sabotage the network, please use PGP encryption. Public key:
----BEGIN PGP PUBLIC KEY BLOCK----- Version: BCPG C# v220.127.116.11 mQENBGFRonEBCACQ19Qm3jgcbGl6sckFcANrrVcHzlhooFVKWdem/aLZ7e5hmZYS 1jhGTinuGnMNn2KDsMjYZWO5vGdB+IkRK2XxKtFUkj9Ip/kA7wDoAX5RUiNA1TOy qTK7vuIwHV6AvrQx0vC492acxWpbVK2S8T5pkYHTaz7LwZMbcKcGgw8K5k0JrNRX Tho4ZYd17Lrinl6O9xG7Sq+a9cw6Yi2xTi5A7nrTlgrQT6yLrTU4q91P+YBsPCEc BYSp7sWoc0A2fssrAHXQvHAu1tjIBpMbFkAc6Zo4i4QRb3QZfMdOff/dY3YIWJeA Cth0fyUQog9l2VXdoK+giPAVkwi6YvtgYqb9ABEBAAG0FmJ1Z3NAaGF2ZW5wcm90 b2NvbC5vcmeJARwEEAECAAYFAmFRonEACgkQaKVP4GAdnU+g1Af8DrxJHozMCMdN bn1osfwgCO5lt9iKk06S6XNnaoZhB4luamNE/aJxwyqFwZ+YvkPPO1+aanXDth/t 6vihPUrXTGQZVz8oCZWm8G1rmbwtaphh5kmFsV1STKe3TNv8anb9JuX2liEOCpjS Uk2VEmAreZMrThoXA7L0ST9XV/iw5IyvOFK9jMXj/0nPGUYMvF7FahnbGhepLBCG Vy2TiVgiHwMqAehPtqpLcZgeilL4+REq6hy8JruD0wq9kntnQlGuDUzRLSeiRC1E hAxRjfU+uWHzmtl8P2evEKv7BXP8mr97/ipbA4WWI4w9z7NoJJgDIkVKuejnhgcz iCh5G0hKfA== =EH5K -----END PGP PUBLIC KEY BLOCK-----
Send emails to: firstname.lastname@example.org
These emails are forwarded automatically to key members of the core team.
As long as there is no risk to the network, non-critical issues can be reported to core team members via direct message in our usual comms channels:
Please bear in mind that issues reported via Github may be publically viewable and should not be used for critical bugs unless done so privately:
In a case where more than one person reports an identical issue, the first one to report it in the correct format will be considered for the bounty reward.
Where an issue is reported in collaboration with another person then the reward will be split according to the joint wishes of those involved.
Where a person reports an issue that is already known, a bounty reward will not be payable.
Once logged, all issues will be processed by either the project lead, project manager or protocol lead and assigned to the relevant person/s for investigation.
Where the issue is determined to be serious enough there will be a meeting called for all core team members (response team) to coordinate a response.
Bounty payments will be within 30 days.
The structure outlined here is to provide a level of transparency for bounty payments.
Due to the complexity of the code and infrastructure involved, there will be occasions when payments may fall outside of the bands listed above.
The submission quality will be a factor in the level of considered compensation.
Please include the following in your submission:
NOTE: Please do not disclose any found issues to anyone, in any form, outside of the core team. This will give the project an appropriate time to respond. Disclosure to any third parties may disqualify bug bounty eligibility.
Responsible investigation and reporting include, but isn’t limited to, the following:
Bounty payments will be administered by the Haven Protocol Team and will be in xUSD. This allows for certainty of value for those reporting/fixing issues and benefits the project treasury by making budgeting and accounting a simpler process.
In the case of disputes with bounty payments, the response team shall determine the level (band) of severity.
|BAND||LOWER PAYMENTS||UPPER PAYMENTS|
Please note that the core team will make the decision as to the eligibility of the bounty claim. This can not be disputed and is final.
This is the first iteration of the Haven Bug Bounty Programme. We are currently talking to various third-party bug bounty platforms.