No technology is perfect and Block.one believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our Smart Contracts. Good luck, and happy hunting!

Ratings:

For the prioritization and rating of findings, this program will not use the Bugcrowd Vulnerability Rating Taxonomy. This is because some of the goals are orthogonal to "classic" security vulnerabilities and don't map well to security focused scales such as VRT.

For this program Block.one utilizes severity levels for findings with associated rewards. Regardless, it is important to note that in some cases a severity level could be modified due to its likelihood, impact or even effort expended by a researcher. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. The ultimate decision of any appeal, however, is at the sole discretion of Block.one.

In the event that traditional security vulnerabilities are found the VRT level will be mapped to the critical, high, medium and low reward levels as noted below. CVSS can also be used to help map if there is not a direct mapping in the VRT. In the event that the impact or effect of a "traditional" vulnerability has a demonstrable exploit with an impact listed in the qualifying vulnerabilities that is greater than the VRT or CVSS mapping we will reward at the higher of the two levels.

Severity Level | Critical | High | Medium | Low | Informational
---|---|---|---|---|---
VRT | P1 | P2 | P3 | P4 | P5
CVSS v3 | 10.0-9.0 | 8.9-7.0 | 6.9-4.0 | <= 3.9 Low Impact | <= 3.9 Informational
Reward Levels | High | High | Medium | Low | None

Vulnerabilities that threaten the underlying economic model may be eligible for rewards up to $20,000.

Note that Block.one will not pay for bounties that count as Informational/P5.

Severity Levels

In all cases below any actions or findings refer to unauthorized or unintended actions.

• Informational - Findings of incorrect behavior, minor configuration with no impact of failures to service or correct function of transactions.
• Low - Findings of that result in minor measurable impacts including single transaction failures or resource impacts (usage, stealing or denial) not meeting higher thresholds to follow.
• Moderate - Findings that result in significant impacts including denial of service, service process crashes, memory usage greater than 64 MB.
• High - Any findings under Qualifying Economic Model Vulnerabilities (see below) or allow unintended use (including staking) of tokens from other accounts.
• Critical - Any findings that allow taking or transfer of tokens or allow tokens to be placed into an irretrievable state.

Block.one reserves the right to make any final determination of rating levels for any reported vulnerability.

Reward Rules

• The final amount is always ultimately at the sole discretion of Block.one.
• The determination of rating levels is at the sole discretion of Block.one.
• To qualify for a reward, the issue must be original, previously unreported ( this includes issues already known by Block.one but not publicly disclosed ), be a Qualifying Vulnerability (see below), and within the Testing Scope (See below).
• For multiple vulnerabilities with one underlying root cause, where one fix can be applied to remediate all the vulnerabilities, we will consider this as one vulnerability and only award it once.
• If you have found a vulnerability, please submit a report through the Bugcrowd Platform. Note that we are only able to answer technical vulnerability reports. If you are in a country that is not eligible for Bugcrowd we have an alternative reporting strategy is documented at https://block.one/security/reporting-security-vulnerabilities/. However we cannot guarantee reward payments in countries without Bugcrowd coverage and we reserve the right to deny your participation in this program or refuse to make any reward payments if you are in a location without Bugcrowd coverage. In cases where we cannot make a reward payment we may, at our discretion, offer a token reward or recognition instead. We recognize such offers will not be of equivalent intrinsic value to the bounty - they are intended in the spirit of recognition where we are unable to provide a financial reward due to program or legal limitations.
• All payments will be made in compliance with local laws and regulations.

Reward Payment

Payment is made in accordance with the payment terms provided in Bugcrowd. If your country is not eligible to bugcrowd and we determine in our discretion that your submission is accepted, qualified and eligible to payment, we will notify you of the reward amount and will work with you to process payment, subject to the laws and regulations of any applicable jurisdictions and the terms and conditions of any relevant payment service provider. You may not designate another person as the recipient of the reward. Unless otherwise indicated by us, all payments will be made in USD.

We reserve the right to change the reward range at our sole discretion any time during the program by posting an updated range on the program page. You are required to check the program page from time to time to confirm the reward range being offered at the time you submit any vulnerability. However, you will be entitled to the reward range posted at the time of your submission if the reward range is changed by us afterwards.

Scope and rewards

Reward range

Last updated 21 Aug 2020 21:32:33 UTC

Technical severity | Reward range
---|---
p1 Critical | $8,000 - $12,000
p2 Severe | $4,000 - $6,000
p3 Moderate | $1,400 - $3,000
p4 Low | $500 - $1,500

P5 submissions do not receive any rewards for this program.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.