Banner object (1)

Hack and Take the Cash !

661 bounties in database


250 $ 


At blockimmo, we are building a blockchain powered regulated platform for shared property investments and ownership. We are engaging HackerOne to run a bug bounty to ensure that our smart contracts are as secure as possible. All of blockimmo's smart contracts, and only blockimmo's smart contracts are in scope for this bug bounty. All other sites/resources are currently out of scope, even if affiliated with blockimmo.

The code is available in this GitLab repository __, where we include detailed documentation to quickly get you started. The README provides installation and testing instructions, along with a high-level overview of the project, summarizing and linking to specific contracts where more thorough docs can be found. The source code is protected under Non-Profit Open Software License version 3.0 (NPOSL-3.0) __.

Response Targets

blockimmo will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response | SLA in business days
First Response | 2 days
Time to Triage | 2 days
Time to Bounty | 14 days
Time to Resolution | depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Program Scope

  • Issue must be found in the latest version of the GitLab repository's master branch. Issues with previous versions of the smart-contracts will be awarded no bounty.
  • Provide steps to demonstrate the issue, preferably through a failing Truffle test case. Make sure to document what the intended behavior should be, and how our contract logic deviates from the intended behavior. Issues that cannot be reproduced will not be rewarded.
  • Be in the scope of the bug bounty. Specifically, be an issue solely with the code in our smart contracts. Issues such as MITM, exploits involving Metamask or Infura, are not in scope.
  • The api.js file is included for completeness's sake, but is also out of the scope of this bug bounty.
  • Additionally, issues about code-style, gas optimization, and the spec are out of scope.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • The person/group reporting the issue may not have been involved in smart contract development or auditing.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account/address holder.


Our rewards will be based on the severity as determined by blockimmo's team. We will evaluate the overall risk by combining the likelihood with the impact as outlined in the following table.


Please see the structured bounty table for an overview of bounties by severity. These amounts are the base awards, and bonuses will be awarded at our discretion. Bonuses can be awarded for exceptionally high-quality issue reports or providing fixes. The bonuses and determinations of severity are at blockimmo's sole discretion.

Things to look for

Here we outline issues we are concerned about at blockimmo. These can help our bounty-hunters of where to begin their search for issues.

Getting around compliance checks

Since blockimmo is a regulated platform, the restrictions on who can receive tokens and investment limits are necessary for compliance with the law. If there is a way to get around these checks through our current set of smart contracts, this is a potentially high impact issue. The overall severity can be considered critical depending on the likelihood of the bug causing a compliance violation, as well as how major the compliance violation is.

Loss of funds

A loss of funds bug includes any vulnerability where users lose access to funds/tokens in an unintended way. These would be vulnerabilities where an attacker can siphon funds or tokens. Also included in this would be any bug allowing someone to lock up funds in such a way that they are irrecoverable. The severity of these issues would be proportional to the funds lost.

Unintended behavior

The intended work-flows are described in comments in each source code file. If there are cases where smart contracts can fail to work as we intend, be sure to report it. This is our most general class of vulnerability, and impact will depend on the specifics of the bug raised. We realize this is a broad categorization, but we don't want the people reviewing our smart contracts to hold back.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep blockimmo and our users safe.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018