Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Matic Network will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 2 business days

• Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

• Reports out of scope will not be considered. Please check before you submit.

• Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited

• Attacking any other network than Matic Network is prohibited

• Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.

Test Plan

Getting Started

• If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture

• Explore the code on GitHub there are 3 main repositories for you to study

Heimdall - https://github.com/maticnetwork/heimdall

Bor - https://github.com/maticnetwork/bor

Contracts - https://github.com/maticnetwork/contracts

Setting up

• Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli

The Matic CLI repo is an easy way to set up and manage Matic validator nodes in a local environment. This would help in simulating tests and attacks locally.

Getting Tokens for Testing

• To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network

You’re now set up to start looking for vulnerabilities.

Have questions?

Check out the forum and join the discussion on Discord.

Forum - https://forum.matic.network

Discord - https://discord.gg/XvpHAxZ

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.

| Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |

|----------|--------|---------|------|

| $5,000 | $3,000 | $1,500 | $300 |

Indicative examples of valid attacks that could be done on Matic Network

| Type of Attack |

|----------|

| Double spend by getting the clients to accept a different chain |

| Double spend by validating malicious blocks|

| Tamper/manipulate blockchain history to invalidate transactions |

| Cause network to mint tokens to own account |

| Undermine consensus mechanism to split the chain |

| Censorship (e.g. on votes) |

| Steal tokens from node |

| Prevent node from accessing the network |

| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |

| DDOS attack |

| Chain halt and shutting down the network |

| ... |

In Scope Repositories

• Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.

URL - https://github.com/maticnetwork/heimdall

Category - Critical

• Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible.

URL - https://github.com/maticnetwork/bor

Category - Critical

• Contracts - This repository contains the smart contracts that power Matic Network

URL - https://github.com/maticnetwork/contracts

Category - Critical

Out of Scope Repositories examples

• Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.

• Website - The Matic Network website

URL - https://matic.network

• Matic JS

URL - https://github.com/maticnetwork/matic.js

• Matic Scabbards

URL - https://github.com/maticnetwork/matic-scabbards

And any other repositories that are not mentioned “In-Scope” is considered as out of scope.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).

• Previously known vulnerabilities in Tendermint and or/any other fork of these.

• Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Matic Network and our users safe!