SKALE Network's HackerOne Program Scope

The SKALE Network Bug Bounty Program is intended for discovering potential technical vulnerabilities in the SKALE Network with the help of SKALE Network community members, especially those who specialize in global network security and Solidity smart contract security. The SKALE Network community takes the security of the network very seriously and offers this bounty program to reward those who help strengthen the network and technologies.

Program Scope

SKALE Network is a fully asynchronous binary Byzantine Fault Tolerant consensus that incorporates BLS threshold cryptography and a Trusted Execution Environment (SGX) to provide performant sidechains that are 100% Ethereum compatible. The SKALE Network is orchestrated by a set of smart contracts called SKALE Manager, deployed on Ethereum network. For general documentation, see here.

At present, the skale-consensus, libBLS,skale-manager, and sgxwallet repositories are the only assets in-scope. There are three scopes:

1. SKALE Manager smart contracts.

2. Infrastructure: skale-consensus and libBLS.

3. Hardware secure crypto wallet: sgxwallet.

SKALE Manager smart contracts

For skale-manager, bugs must:

• be valid attacks to allow a user to steal SKL tokens from the system.

• be an attack through a Network attack vector that is more than just theoretical.

• must include a POC implementation with reproducible steps. This can be a Solidity, JavaScript or Python test or list of actions that clearly shows how the bug occurs.

Examples of skale-manager vulnerabilities the SKALE Network is interested in, include:

• see SWC Registry for some examples.

SKALE Manager Testnet Releases

The SKALE Network will continue with as-needed deployments of the latest versions of the smart contracts to the Rinkeby testnet.

The bug bounty program will be applicable to only one release at a time as specified in this policy. Submissions MUST indicate to which release they relate.

The current release eligible for vulnerability reports is 1.8.1. Only vulnerabilities found in this deployment can currently be submitted for a reward. See https://github.com/skalenetwork/skale-network/tree/master/releases#test-releases for testnet contract addresses and ABIs.

For testnet tokens, please reach out to SKALE Discord HackerOne Support.

Infrastructure

To qualify for a bounty, bugs must be:

• Valid on the develop branch of the corresponding repository.

For skale-consensus and libBLS, the following bugs must be:

• Valid for 64-bit Ubuntu machines with at least 2GB RAM.

• Valid on SKALE Consensus clusters where less than 1/3 of the nodes are faulty or malicious.

• Network based attack vectors (local or physical attacks only will be closed as informative or low priority)

SKALE Network is interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and complex sequence of transactions.

Examples of skale-consensus and libBLS vulnerabilities the SKALE Network is interested in include:

• memory allocation bugs

• race conditions

• timing attacks

• information leaks

• authentication bypasses

• incorrect block validation

• Denial of Service

• lost write bugs

• payloads/transactions that cause panics.

Please see the SKALE Consensus README and libBLS README for a quick-start guide to getting SKALE Consensus or libBLS running so you can start hunting for bugs. Please also see the test directory in each repository for examples of tests.

SGXWallet

To qualify for a bounty, bugs must be:

• Valid for the develop branch of the corresponding repository.

• Not related to any Intel SGX specific vulnerability (please review exclusions, ineligible bugs and out-of-scope carefully).

• Network based attack vectors (local or physical attacks only will be closed as informative or low priority)

For sgxwallet bug submissions must satisfy following:

• Valid for SGX-enabled Intel processor

Particular areas SKALE Network is interested in are:

• attacks that allow 3rd party to steal funds from SGXWallet

• memory consumption and memory leaks inside/outside of secure enclave

• DDoS attacks

• SGXWallet performance and stability

Please refer to SGX Wallet README as your starting point for deep dive in the component and your bug bounty kick off.

Program Rules

• You must provide detailed reports with reproducible steps. If the report is not detailed sufficiently to reproduce the issue, the issue will not be eligible for a reward.

• When duplicates occur, the program will only reward the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing), clickjacking and issues are prohibited.

• Scanner-generated reports and "Advisory" or "Informational" reports that do not include any SKALE Network-specific testing or context are ineligible for rewards.

• Website-related issues are ineligible for rewards.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Ineligible and prohibited methods

Vulnerabilities contingent on any of the following activities do not qualify for a reward in this program, and are prohibited:

• Social engineering (including phishing) of SKALE Network staff or contractors.

• Spamming.

• Denial of service attacks on testnet, mainnet or any other live assets such as websites.

• Any physical attacks against SKALE Network property, data centers, or employees.

• Automated tools.

• Compromising or misusing third party systems or services.

Exclusions, ineligible bugs, and out-of-scope

• Vulnerabilities that assume different security assumptions from SKALE Network.

• Vulnerabilities that assume different setups of various components.

• Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without EXPLICIT proof that they are in-use in production.

• SGX-related issues and/or vulnerabilities

• Game Theory and incentive mechanisms attacks.

• Attacks requiring MITM or physical access to a user's device.

• Security issues in third-party software.

• Previously known vulnerable libraries without a working Proof of Concept.

• Vulnerabilities already known to the public or to the SKALE Network core team including previous findings from another participant in the bug bounty program.

• Bugs that are not reproducible.

• Bugs disclosed to other parties without consent from the SKALE Network core team.

• skale.network or any other SKALE Network websites, and any website related security practices such as:

  • Content Security Policy (CSP) HTTP header

  • HTTP Public Key Pinning (HPKP)

  • Subresource integrity

  • Referrer Policies

  • SSL/TLS configuration

  • Email or DNS configurations

  • Site or domain configurations

  • Cookies missing security flags

Disclosure Policy

• Upon receipt of a potential security issue, SKALE Network will make every effort to quickly resolve the issue.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of SKALE Network service. Only interact with accounts you own or with explicit permission of the account holder.

• Provide a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Follow HackerOne's disclosure guidelines.

Legal

All rights of interpretation of the Bug Bounty are reserved to SKALE Network. SKALE Network decides whether to reward a bug disclosure and how much will be rewarded. Any individual or team participant should not violate any laws and regulations during testing.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep SKALE Network and our users safe!