Banner object (1)

Hack and Take the Cash !

836 bounties in database
  Back Link to program      
13/06/2019
Algorand logo
Thanks
Gift
Hall of Fame
Reward

Reward

125 $ 

Algorand

Algorand was founded by cryptography pioneer and Turing award winner, Silvio Micali, to solve the “blockchain trilemma” with a platform that delivers decentralization, scalability and security. Algorand provides a foundation for existing businesses and new projects to operate globally in the emerging decentralized economy. Algorand’s first-of-its-kind, permissionless, pure proof-of-stake protocol supports the scale, open participation, and transaction finality required to build systems for billions of users.

Algorand invites you to test and help secure our innovative decentralized protocol. We appreciate your efforts and hard work in making the internet (and Algorand) more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


Ratings/Rewards:

For the initial prioritization/rating of findings, a summary of the submission types accepted and their severity rating has been provided under this brief. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Vulnerability Categories:

Please note these will be the only vulnerability categories rewarded for

this program. No other submission types will be reviewed nor rewarded. Non- applicable submission types will be marked as such.

P1 categories:

  • Any methods of Remote Code Execution (RCE) on an Algorand node
  • Any methods of double spending, stealing, deleting/burning or creating Algos
  • Any methods to create two or more valid blocks for the same around (Forking)
  • Any methods which can lead to private key compromise

P2 categories:

  • Any security bug or issue in the cryptography relating (Non-third party) to key generations, signing and verification

P3 categories:

  • Any methods to censor transactions or eclipse nodes for the purpose of participation in consensus
  • Any Permanent Denial of Service (unable to progress with consensus protocol) to an Algorand node

P4 categories:

  • Any Denial of Service (unable to progress with consensus protocol) to an Algorand node
  • Any Denial of Service (termination of the process) to an Algorand node

P5 categories:

  • Any bug which allows an attacker to show corrupt information to a consumer of an API (does not need to necessarily corrupt any vital state)

Please test the latest released versions of each project available. Only

the newest released package is in scope.

Reward Range

Last updated 7 Apr 2019 23:02:50 UTC

Technical severity | Reward range
---|---
p1 Critical | $2,100 - $2,500
p2 Severe | $1,200 - $1,500
p3 Moderate | $500 - $750
p4 Low | $125 - $200

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
Algorand Node - https://github.com/algorand/go-algorand | Other
Algorand JavaScript SDK - https://github.com/algorand/js-algorand-sdk | Other
Algorand Java SDK - https://github.com/algorand/java-algorand-sdk | Other
Algorand Golang SDK - https://github.com/algorand/go-algorand-sdk | Other
Algorand Ledger App - https://github.com/algorand/ledger-app-algorand | Other
Algorand TestNet | Other

Out of scope

Target name | Type
---|---
<https://algorand.foundation/> | Website
Hosting Infrastructure of TestNet (AWS, Kubernetes, Other Participants, etc) | Other
Distributed denial of service | Other
Algorand.com | Website
Algorand.org | Website
Algorand MainNet | Other

Testing is only authorized on the target listed as In-Scope. Any domain/property of Algorand not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target Information:

You will test Algorand's protocol nodes, SDKs and their integration with TestNet, our primary testing location for the Algorand blockchain, by running your own instances using the hosted repositories found in the target section. Comprehensive documentation for each target can be found below and within each repository.

Documentation:


Out Of Scope:

Algorand considers Social Engineering attacks against Algorand employees a violation of Program Policies. Researchers engaging in Social Engineering attacks against Algorand employees will be banned from the Algorand Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Closing:

We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.

The current Bug Bounty Program as described on this page is v1.0 of our Bug Bounty Program. We anticipate the need to improve it over time and appreciate any feedback you may have on what we can do better.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.


FireBounty © 2015-2019

Legal notices