No technology is perfect, and Block.one believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
A Bug Bounty program is an open offer to external individuals to receive compensation for reporting EOSIO bugs, specifically related to security of the core functionality.
In principle, the core EOSIO software is in scope for the bug bounty program. This includes any of the latest versions of:
Public blockchains launched using EOSIO software will be outside of scope for the program.
Only the following design or implementation issues that substantially affect the stability or security of the project is in scope for the program. Common examples include:
For scenarios that do not fall within one of the above categories, Block.one still appreciates reports that help us secure our infrastructure and our customers. As such, we will reward those reports based on the following table. Please note these are general guidelines, and that reward decisions are up to the discretion of Block.one.
Min/Max | Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS
4.0 - 6.9) | Low (CVSS 0.0 - 3.9)
Minimum | $5,000 | $2,500 | $1,000 | $100
Maximum | $10,000 | $5,000 | $2,500 | $1,000
Note that the scope of the program is limited to technical vulnerabilities in Block.one software only; please do not try to sneak into Block.one offices, attempt phishing attacks against our employees, and so on.
Note that bug reports are only valid against x86-64 architecture and against 32-bit WASM builds. 64-bit WASM is outside of the scope of this program.
Depending on their impact, some of the reported issues may not qualify. Although we review them on a case by case basis, here are some of the common low risk issues that typically do not earn a monetary reward:
That said, if you find outdated software and have good reasons to suspect that it poses a well defined security risk, please let us know.
Please, never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Block.one.
If you have found a vulnerability, please submit a report through the HackerOne Platform. Note that we are only able to answer to technical vulnerability reports.
Please include following in your report:
Please be available to cooperate with Block.one engineering team to provide further information on the bug if needed.
Additionally, please note that unidentified report submitters will not be eligible for the bounty payment. Please expect to be asked for additional identification details for us to be able to progress with the payment. Please submit your report as soon as you have discovered a potential security issue. Block.one will consider the maximum impact and will choose the reward accordingly. We may pay higher rewards for otherwise well written and useful submissions where the reporter didn't notice or couldn't fully analyze the impact of a particular flaw.
Please note you will qualify for a reward only if you were the first person to alert us to a previously unknown flaw. We will update you on the progress of your report when it is accepted, validated, fixed and when the bounty is repaid.
Some restrictions to eligibility have been implemented. These restrictions relate to a minimum signal of 3. Hackers below this signal range will not be able to submit reports to our program.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Contact us if you want more information.