Privacy is the top priority for PIVX and this should be reflected in all areas of our work. The PIVX-Project values the global information security community and is looking forward to working with the brightest minds in the space (you!) to find security vulnerabilities in our protocols and official implementation in order to keep our users and their funds safe.

SLA

PIVX-Project will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 2 business days
• Time to triage (from report submit) - 2 business days
• Time to bounty (from report triage) - 5 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines __.
• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• All Social engineering related attacks are prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Only interact with the PIVX testnet, never mainnet! The instructions how to get started with the dockerized testnet can be found here __. A dedicated security testnet is planned.
• Submissions must not be publicly disclosed before evaluation and payment. Public disclosure of a vulnerability makes it ineligible for a bounty.
• The PIVX core development team is not eligible for rewards.

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of PIVX.

Vulnerabilities in the core PIVX implementation

Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9)
---|---|---|---
$5,000 | $2,500 | $1,000 | $200

Good Vulnerability Starting Points (IN SCOPE)

We are continuously looking to find security issues affecting our blockchain protocol and its implementation. This list is not complete by any means but should provide a good starting point:

Security weaknesses:

• Bugs in our implementation of the cryptographic primitives (eg zerocoin)
• Remote Code Execution
• Theft (unauthorized movement of funds, access to private keys)
• Inflation (creation of coins by any method different from Staking)
• Netsplit (preventing a part of the peer to peer network from communicating with the other part of the network in a way that could be applied generically)
• Attacks on the PIVX zPIV implementation

Denial of Service attacks:

• Create invalid blockchain state
• Overload the whole network
• Overload a single client
• Crash a client
• Stall a client
• Disconnect client
• Create invalid client state

To find these vulnerabilities, you can use both the source code directly, or use the dockerized testnet __. A dedicated security testnet is planned. Never attack mainnet!

NOTE: When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug*

OUT OF SCOPE Vulnerabilities

Since our main interest is in finding security problems affecting our blockchain protocol and its implementation, the following issues are considered out of scope:

• Any issues on *.pivx.org domains. We will put that IN SCOPE at a later point in time.
• Any vulnerabilities found on the PIVX mainnet.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Any activity that could lead to the disruption of our service (DoS), outside of the private testnet. 51% attacks, including those on the private testnet.
• Any issues already reported publicly on GitHub (https://github.com/PIVX-Project/PIVX/releases __).
• Any issues related to the PIVX discord channels.
• Any issues related to old / unsupported architectures. Only supported architectures have binary releases listed on https://github.com/PIVX-Project/PIVX/releases __.

Parameters for submissions

• Submissions must not be publicly disclosed before evaluation and payment
• Contact us first to allow us to fix any vulnerability found
• Reward goes to the first to report critical vulnerabilities found. Issues that have already been submitted by another user or are already known to the PIVX team are not eligible for bounty rewards
• Public disclosure of a vulnerability makes it ineligible for a bounty
• Don’t use the PIVX mainnet for bug hunting. Create a dedicated, local testnet. A dockerized testnet setup can be found here __
• The PIVX core development team is not eligible for rewards
• The PIVX homepage and infrastructure are NOT part of the bounty program
• PIVX bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the PIVX bug bounty panel

Thank you for helping keep PIVX-Project and our users safe!