FireBounty
48746 policies in database
Link to program      
2021-05-05
Sifchain logo
Thank
Gift
HOF
Reward

Reward

Sifchain

Sifchain looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. We are a public open source, decentralized blockchain and omni-chain DEX where most information is publicly queryable to the entire internet. Our primary concern is any vulnerability where an attacker can siphon assets from our users in an unintended way. Secondarily, any vulnerability that could affect or compromise the availability or performance of our blockchain. Any issues beyond that will be considered Low severity at best.

Please Read This if you read anything

Our one and only asset DOES NOT INCLUDE OUR WEBSITE at sifchain.finance. That is a Read Only informational only website, it has been pentested and security reviewed multiple times, and any issue you found is likely a duplicate of one we are aware of. Any reports for that with no recognition of this fact will be treated as evidence that your report is most likely Spam.

Response Targets

Sifchain will make a best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 2 days |

| Time to Triage | 3-5 days |

| Time to Bounty | 3-5 days |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

  • Follow HackerOne's disclosure guidelines.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

  • Sifchain development team, employees and all other people paid by Sifchain, directly or indirectly, are not eligible for rewards. The decision to reward DAO members for the same will be taken later, as we move towards the SifDAO model.

Documentation

A full set of documents and tutorials can be found at https://docs.sifchain.finance/. See also the readme.md file on how to build and connect as a validator node to our private testnet at https://github.com/sifchain/sifnode.

Out of scope vulnerabilities

Our primary concern is the integrity of on chain financial assets and site availability and reliability. Any issue that involves that will be treated as Medium severity at a minimum (we aren't following CVSS calculator terribly closely here). Issues involving concerns outside of that will be automatically considered Low severity and only if we consider it something that we should improve based on generally accepted best practices. The bounty will be in a range based on our subjective evaluation of significance and impact. Also, our website at sifchain.finance is completely out of scope.

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Any issue that doesn't lead to loss of funds or negatively impact the performance and availability of our blockchain network.

  • Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).

  • Previously known vulnerabilities in Tendermint and or/any other fork of these.

  • Previously known vulnerabilities in Cosmos SDK and or/any other fork of these.

  • Attacks requiring MITM or physical access to a user's device.

  • Attacks that consist of nothing more than overloading any public endpoint.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

  • Findings related to the encryption or access control of the third party wallets.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

  • Attacking any other network than Sifchain's Network’s designated testnet or a private personal network for this program is prohibited.

  • Any activity that could lead to the disruption of our service (DoS).

Safe Harbor

Activities conducted consistent with this policy will not result in legal action. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Sifchain and our users safe!

In Scope

Scope Type Scope Name
web_application

https://github.com/sifchain/sifnode

Out of Scope

Scope Type Scope Name
web_application

sifchain.finance

This program crawled on the 2021-05-05 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy