Cybersecurity of the company and the security of our users' data is a top priority for us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay rewards.
To participate in the contest, you must agree and follow the rules described in this policy. You must be the first to report a vulnerability to receive a reward.
You must send a clear textual description of the work done, along with steps to reproduce the vulnerability.
After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a bounty. Also, please do not store screenshots and / or executable codes and scripts related to the vulnerability discovered on publicly available services and resources so that the information is not available to third parties.
This Bug Bounty ONLY limits to the code.
Do code review for logical and security mistake in our testnet: VeChainThor is a new public blockchain that was written from scratch by the VeChain team. VeChainThor leveraged some of the features of Ethereum such as EVM. The VeChain team has added a lot enterprise friendly features at the core blockchain level so that it could be easily used by any developer or user on the platform. Some of the major features are:
Follow the updates via a special tab in the program, if you have any further questions feel free to ask via online chat on the site.
Thor is VeChain's new generation blockchain project. It's the oﬃcial implementation written in golang.
1) Download mainnet source code, vendor dependency packages and VeChain Thor Tutorial via Github.
2) Connect to the testnet, generate wallet address by yourself and receive test tokens via faucet.
Protocol and Network
Scenarios for DoS attacks.
51% and other X% attacks
Elliptic curve (secp256k1, ECDSA,ECDH,ECIES).
Hash algorithms (Keccak-256,Blake2b).
Merkle Patricia trees.
It’s exclusive program where you can receive a reward in VET in exchange for discovered vulnerabilities within the scope. We appreciate your efforts in taking out time and pointing it out to us, it helps us be better in our approach. While we are very thankful for your efforts, we don’t want them to go unrewarded. Eligible bug rewarded based on the CVSSv3 severity and we set next payout range:
Severity (CVSSv3) | Reward*
Critical | 10,000 USD
High | 5,000 USD
Medium | 2,500 USD
Low | 500 USD
*The rewards will be paid out in VET based on the current price.
However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward. In special cases, the size of the award can be increased if the researchers demonstrate how the vulnerability can be used to inflict maximum harm.
Will make a best effort to meet the following SLAs for researchers who is participating in our program:
SLA | Plan
Time to first response (from report submit) | 1 day
Time to triage (from report submit) | 3 days
Time to bounty (from triage) | 5 days
We’ll try to keep you informed about our progress throughout the process.