EOSIO Bug Bounty Program

No technology is perfect, and Block.one believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

A Bug Bounty program is an open offer to external individuals to receive compensation for reporting EOSIO bugs, specifically related to security of the core functionality.

Software Assets in Scope

In principle, the core EOSIO software is in scope for the bug bounty program. This includes any of the latest versions of:

• EOSIO blockchain software (https://github.com/EOSIO/eos )
• Eos.js libraries (https://github.com/EOSIO/eosjs )
• EOSIO Contract Development Toolkit software (https://github.com/EOSIO/eosio.cdt ) (specifically eosiolib, libc, and lib++/libcxx, other tools in this repo are out of scope)
• EOSIO Default Contracts (https://github.com/EOSIO/eosio.contracts )
• DoS style vulnerabilities will be considered in scope provided that the attack is effective due to specific code in the EOSIO repository (the above in scope repos), and no public mainnets are used for PoC. You may not use public mainnets to prove out DoS attacks, nor any Block.one production infrastructure. All PoC's must be done against a testnet with the permission of those running said testnet.

Public blockchains launched using EOSIO software will be outside of scope for the program.

Qualifying vulnerabilities

Only the following design or implementation issues that substantially affect the stability or security of the project is in scope for the program. Common examples include:

1. Cause nodeos to crash via the net_plugin (bnet_plugin is out of scope)
2. Cause nodeos to crash via the HTTP RPC API (http_plugin) with Patroneos protection
3. Send a contract into an infinite loop
4. Cause a contract to use large amount of memory (more than 64MB)
5. Crash nodeos with a contract
6. Trigger unauthorized actions on accounts
7. Cause a contract to run for more than 10 ms over deadline

For scenarios that do not fall within one of the above categories, Block.one still appreciates reports that help us secure our infrastructure and our customers. As such, we will reward those reports based on the following table. Please note these are general guidelines, and that reward decisions are up to the discretion of Block.one.

Min/Max | Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)
---|---|---|---|---
Minimum | $5,000 | $2,500 | $1,000 | $100
Maximum | $10,000 | $5,000 | $2,500 | $1,000

Note that the scope of the program is limited to technical vulnerabilities in Block.one software only; please do not try to sneak into Block.one offices, attempt phishing attacks against our employees, and so on.

Note that bug reports are only valid against x86-64 architecture and against 32-bit WASM builds. 64-bit WASM is outside of the scope of this program.

Program Rules

• Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, or do other similarly questionable things.
• We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.
• To qualify for bounty, the security bug must be original and previously unreported.

Non-­qualifying Vulnerabilities

Depending on their impact, some of the reported issues may not qualify. Although we review them on a case ­by ­case basis, here are some of the common low ­risk issues that typically do not earn a monetary reward:

• WAST files Bugs found against Wasm JIT/ Binaryen that revolve around the WAST format are excluded from the HackerOne program. These types of bugs will never affect EOS, as the only format on the chain is WASM.
• Non x86-64 architecture Any reports found by building the EOSIO software against non-x86-64 architectures are not valid.
• 64-bit WASM EOSIO only supports 32-bit WASM builds. Any reports against 64-bit WASM builds are not valid.
• Build tools in the WASM SDK Tools in the WASM SDK repo are out of bounds. These include, but are not limited to eosio-readelf, eosio-objdump, eosio-ar, eosio-ranlib, etc.
• URL redirection or Phishing We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well ­designed and closely monitored redirectors outweigh their true risks.
• Flaws affecting the users of out ­of­ date systems. The security model of the web and blockchain is being constantly fine­ tuned. The panel will typically not reward any problems that affect only the users of outdated or unpatched systems.
• Presence of banner or version information. Version information does not, by itself, expose the service to attacks ­ so we do not consider this to be a bug.
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

That said, if you find outdated software and have good reasons to suspect that it poses a well ­defined security risk, please let us know.

Reward Amounts

• The base amount of a reward is currently $10,000 USD.
• The final amount is always chosen at the discretion of the reward panel.
• In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide to pay lower rewards for vulnerabilities that require unusual user interaction; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward.
• For multiple vulnerabilities with one underlying root cause, where one fix can be applied to remediate, we will consider this as one vulnerability and only award once.

Investigating and reporting bugs

Please, never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Block.one.

If you have found a vulnerability, please submit a report through the HackerOne Platform. Note that we are only able to answer to technical vulnerability reports.

Please include following in your report:

1. Asset - What software asset the vulnerability is related to (e.g. EOSIO core software/eosjs)
2. Severity - Your opinion on the severity of the issue (e.g. high, moderate, low)
3. Summary - ­Add summary of the vulnerability
4. Description -­ Any additional details about this vulnerability
5. Steps - Steps to reproduce
6. Supporting Material/References ­- Source code to replicate, list any additional material (e.g. screenshots, logs, etc.)
7. Impact - What security impact could an attacker achieve?
8. Your name and country.

Please be available to cooperate with Block.one engineering team to provide further information on the bug if needed.

Additionally, please note that unidentified report submitters will not be eligible for the bounty payment. Please expect to be asked for additional identification details for us to be able to progress with the payment. Please submit your report as soon as you have discovered a potential security issue. Block.one will consider the maximum impact and will choose the reward accordingly. We may pay higher rewards for otherwise well written and useful submissions where the reporter didn't notice or couldn't fully analyze the impact of a particular flaw.

Please note you will qualify for a reward only if you were the first person to alert us to a previously unknown flaw. We will update you on the progress of your report ­ when it is accepted, validated, fixed and when the bounty is repaid.

Legal points

Some restrictions to eligibility have been implemented. These restrictions relate to a minimum signal of 3. Hackers below this signal range will not be able to submit reports to our program.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.