No technology is perfect and Block.one believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our Smart Contracts. Good luck, and happy hunting!
For the prioritization and rating of findings, this program will not use the Bugcrowd Vulnerability Rating Taxonomy. This is because some of the goals are orthogonal to "classic" security vulnerabilities and don't map well to security focused scales such as VRT.
For this program Block.one utilizes severity levels for findings with associated rewards. Regardless, it is important to note that in some cases a severity level could be modified due to its likelihood, impact or even effort expended by a researcher. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. The ultimate decision of any appeal, however, is at the sole discretion of Block.one.
In the event that traditional security vulnerabilities are found the VRT level will be mapped to the critical, high, medium and low reward levels as noted below. CVSS can also be used to help map if there is not a direct mapping in the VRT. In the event that the impact or effect of a "traditional" vulnerability has a demonstrable exploit with an impact listed in the qualifying vulnerabilities that is greater than the VRT or CVSS mapping we will reward at the higher of the two levels.
Severity Level | Critical | High | Medium | Low | Informational
VRT | P1 | P2 | P3 | P4 | P5
CVSS v3 | 10.0-9.0 | 8.9-7.0 | 6.9-4.0 | <= 3.9 Low Impact | <= 3.9 Informational
Reward Levels | High | High | Medium | Low | None
Vulnerabilities that threaten the underlying economic model may be eligible for rewards up to $20,000.
Note that Block.one will not pay for bounties that count as Informational/P5.
In all cases below any actions or findings refer to unauthorized or unintended actions.
Block.one reserves the right to make any final determination of rating levels for any reported vulnerability.
Payment is made in accordance with the payment terms provided in Bugcrowd. If your country is not eligible to bugcrowd and we determine in our discretion that your submission is accepted, qualified and eligible to payment, we will notify you of the reward amount and will work with you to process payment, subject to the laws and regulations of any applicable jurisdictions and the terms and conditions of any relevant payment service provider. You may not designate another person as the recipient of the reward. Unless otherwise indicated by us, all payments will be made in USD.
We reserve the right to change the reward range at our sole discretion any time during the program by posting an updated range on the program page. You are required to check the program page from time to time to confirm the reward range being offered at the time you submit any vulnerability. However, you will be entitled to the reward range posted at the time of your submission if the reward range is changed by us afterwards.
Last updated 21 Aug 2020 21:32:33 UTC
Technical severity | Reward range
p1 Critical | $8,000 - $12,000
p2 Severe | $4,000 - $6,000
p3 Moderate | $1,400 - $3,000
p4 Low | $500 - $1,500
P5 submissions do not receive any rewards for this program.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This program have been found on Bugcrowd on 2021-02-03.