IOVLabs has created this bug bounty program to reward security researchers that dedicate time and effort to improve the IOVLabs platforms.

SLA

IOVLabs will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 2 business days

• Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.

• Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) but reports to IOVLabs with considerable delay, then IOVLabs may reduce or cancel the bounty.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• The submitter must be the person who has discovered the vulnerability. Vulnerability submission cannot be delegated.

• The submitter grants IOVLabs the right to use parts or all the submitted report for communicating the vulnerability to the public.

• Only test on nodes that you own. Avoid testing that could be damaging to IOVLabs infrastructure or other users.

• IOVLabs development team, employees and all other people paid by IOVLabs, directly or indirectly, are not eligible for rewards.

• A person who submitted a change in the IOVLabs codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.

Scope

Our bug bounty program spans end-to-end: from soundness of protocols (such as the blockchain consensus model, the wire and p2p protocols, proof of work, etc.) and protocol implementation. Classical client security as well as security of cryptographic primitives are also part of the program. Most JSON RPC methods and CSRF attacks against them are in scope.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Findings related to the encryption or access control of the integrated wallet.

• Attacks requirng physical access or local user level access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Denial of our service (DoS) not directly related to a flaw in the IOVLabs code or environment.

• JSON RPC personal module and the filter API including eth_newFilter, eth_blockFilter, eth_getLogs

• For TokenBridge project:

• The private key handling and storage is out of scope.

• Malicious ERC20 tokens are out of scope because there is a whitelisting process in place.

Thank you for helping keep IOVLabs platform and users safe!