Banner object (1)

Hack and Take the Cash !

713 bounties in database
Tendermint logo



Tendermint Bug Bounty Program

At Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.

Bounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.

Rewards for bugs will be classified into these categories for payout:

  • Critical— $2,500 and up
  • High— $1000 and up
  • Medium— $500 and up
  • Low— up to $100

While there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.

If we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated.

Program Scope

Tendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.

At present, the tendermint repo, signatory, kms, yubihsm-rs, go- amino and iavl libraries, Ledger-Cosmos, ledger-cosmos-app and Cosmos- SDK are in-scope. To qualify for a bounty, bugs must be:

  • Valid on the master branch of the corresponding repository, unless they're in Cosmos-SDK. As this repository is under rapid development, we will accept submissions that are valid on the develop branch.
  • Valid for 64-bit machines with at least 2 GB RAM.
  • Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.
  • Valid using Tendermint’s built in persistent_dummy application

We’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.

Examples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.

Please see here __for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work withCosmos-SDK, start here __to learn more about getting it up and running in your testing environment.

Please note that only the tendermint repo and its libraries, signatory, kms, yubihsm-rs, as well as the Cosmos-SDK is in scope for this bounty. All other associated websites and services are out of scope, including:

Though bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services.

Scanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

| ̄ ̄ ̄ ̄ ̄ ̄|
| happy     |
| hunting!  |
| ______| 
(\__/) || 
(•ㅅ•) || 
/   づ
Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019