At Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.
Bounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.
Rewards for bugs will be classified into these categories for payout:
While there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.
If we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated.
Tendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.
At present, the
SDK are in-scope. To qualify for a bounty, bugs must be:
Cosmos-SDK. As this repository is under rapid development, we will accept submissions that are valid on the
We’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.
Examples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.
Please see here __for a quick-start guide to
getting Tendermint running so you can start hunting for bugs. To work
Cosmos-SDK, start here __to learn more
about getting it up and running in your testing environment.
Please note that only the
tendermint repo and its libraries,
yubihsm-rs, as well as the
Cosmos-SDK is in scope for this bounty.
All other associated websites and services are out of scope, including:
Though bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services.
Scanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
|￣￣￣￣￣￣| | happy | | hunting! | | ＿＿＿＿＿_| (\__/) || (•ㅅ•) || / づ
Contact us if you want more information.