At Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.
Bounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.
Rewards for bugs will be classified into these categories for payout:
While there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.
If we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.
Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated.
Tendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.
At present, only the
tendermint repo and the
are in-scope. To qualify for a bounty, bugs must be:
We’re interested in a full range of bugs: from those that can be demonstrated with a simple unit test, to those that require a full cluster and a complex sequence of transactions.
Examples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.
Please see here __for a quick-start guide to getting Tendermint running in your environment so you can start hunting for bugs.
Please note that only the
tendermint repo and libraries are in scope for
All other associated websites and services are out of scope, including:
Though bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services.
Scanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
|￣￣￣￣￣￣| | happy | | hunting! | | ＿＿＿＿＿_| (\__/) || (•ㅅ•) || / づ
Contact us if you want more information.