At blockimmo, we are building a blockchain powered regulated platform for shared property investments and ownership. We are engaging HackerOne to run a bug bounty to ensure that our smart contracts are as secure as possible. All of blockimmo's smart contracts, and only blockimmo's smart contracts are in scope for this bug bounty. All other sites/resources are currently out of scope, even if affiliated with blockimmo.
The code is available in this GitLab repository __, where we include detailed documentation to quickly get you started. The README provides installation and testing instructions, along with a high-level overview of the project, summarizing and linking to specific contracts where more thorough docs can be found. The source code is protected under Non-Profit Open Software License version 3.0 (NPOSL-3.0) __.
blockimmo will make a best effort to meet the following SLAs for hackers participating in our program:
Type of Response | SLA in business days
First Response | 2 days
Time to Triage | 2 days
Time to Bounty | 14 days
Time to Resolution | depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.
Our rewards will be based on the severity as determined by blockimmo's team. We will evaluate the overall risk by combining the likelihood with the impact as outlined in the following table.
Please see the structured bounty table for an overview of bounties by severity. These amounts are the base awards, and bonuses will be awarded at our discretion. Bonuses can be awarded for exceptionally high-quality issue reports or providing fixes. The bonuses and determinations of severity are at blockimmo's sole discretion.
Here we outline issues we are concerned about at blockimmo. These can help our bounty-hunters of where to begin their search for issues.
Since blockimmo is a regulated platform, the restrictions on who can receive tokens and investment limits are necessary for compliance with the law. If there is a way to get around these checks through our current set of smart contracts, this is a potentially high impact issue. The overall severity can be considered critical depending on the likelihood of the bug causing a compliance violation, as well as how major the compliance violation is.
A loss of funds bug includes any vulnerability where users lose access to funds/tokens in an unintended way. These would be vulnerabilities where an attacker can siphon funds or tokens. Also included in this would be any bug allowing someone to lock up funds in such a way that they are irrecoverable. The severity of these issues would be proportional to the funds lost.
The intended work-flows are described in comments in each source code file. If there are cases where smart contracts can fail to work as we intend, be sure to report it. This is our most general class of vulnerability, and impact will depend on the specifics of the bug raised. We realize this is a broad categorization, but we don't want the people reviewing our smart contracts to hold back.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep blockimmo and our users safe.
Contact us if you want more information.