Banner object (1)

Hack and Take the Cash !

836 bounties in database
  Back Link to program      
06/08/2019
dfuse Platform Inc. logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

dfuse Platform Inc.

Background

NOTE: Security Issues are NOT in scope for this program, only data integrity issues

On the web today, it is commonly assumed that when you query a web service, the returned data is legitimate. However, with the kind of information that blockchains deal with -- financial, ownership, authorizations -- the decisions you make based on that data could have a material impact on your life or your business, so data integrity becomes critical.

While some people assume that open source software is more trustworthy, when you query a web-based service, you normally have no way to validate what is running on the other side, whether the software has been tweaked or has been properly configured in the first place. The fact that a web service is supposedly running open source vs. closed source software is irrelevant to data integrity -- neither gives you a reliable integrity guarantee. And if the service is a front-end to blockchain data, even the integrity guarantees provided by the blockchain protocol itself can be diluted by your use of an intermediary process.

At dfuse , we believe it is important that API services providing access to blockchain data provide real assurance to their users regarding the integrity of the data they serve up. And we believe that these services should have skin in the game and put their money where their mouth is. This is why, today, we’re announcing the dfuse Data Integrity Bounty Program in partnership with the trusted hacker-powered security platform HackerOne, along with our Data Integrity Proof Protocol __.

Through this program, we are making a commitment to the integrity of the data available through the dfuse APIs. The program commits dfuse to providing only data that is complete and correct, and puts our skin in the game to back this commitment. Here are the details.

Scope

NOTE: Security Issues are NOT in scope for this program, only data integrity issues

Endpoints in scope:

Qualifying Integrity Issues:

Any data that is part of the general consensus (anything hashed in a block) that is mis-reported by one of the dfuse endpoints listed above. For example:

  • Binary data (hex_data) from actions that does not match the action merkle root in the transaction traces.
  • Missing inline actions or missing data (unless such filtering is requested, e.g. through the GraphQL endpoint)
  • Any other meaningful discrepancies between dfuse output and general consensus data.

We further divide data integrity issues into two categories: high-impact and low-impact:

  • Example of low impact issue: mis-reported receipt.act_digest that would not directly cause an erroneous decision.
  • Example of high impact issue: the data payload of an action reporting a different amount for an eosio.token::transfer than the one agreed to by consensus.

We are offering bounties for reports identifying such issues, based on the following table:

Rewards

Please note these are general guidelines, and that reward decisions are at the discretion of dfuse :

Min/Max | Low Impact | High Impact
---|---|---
Minimum | $100 | $500
Maximum | $500 | $1,000

Note that the scope of the program is limited to data integrity issues in dfuse software, as produced by our engineers, only; please do not try to hack into our platform, break into our offices, attempt phishing attacks against our employees, and so on.

Program Rules:

  • Please be wary of the volume of data you consume, so not to disrupt usage, cause a Denial of Service, or other harmful impacts
  • To qualify for the bounty, the integrity issue must be original and previously unreported.
  • After a fix was announced and released for a given issue, a new report can be submitted if new issues are found.
  • Reporting must be done through HackerOne, and be kept confidential until a fix is confirmed to be deployed by the dfuse team.

Reward Amounts:

  • Refer to the above table for the reward guidelines.
  • The final amount is always chosen at the discretion of the dfuse reward panel.
  • In particular, we may decide to pay higher rewards for unusually clever or severe integrity issues; decide to pay lower rewards for integrity issues that require unusual user interaction; decide that a single report actually constitutes multiple issues; or that multiple reports are so closely related that they only warrant a single reward.
  • For multiple integrity issues with one underlying root cause, where one fix can be applied to remediate, we will consider this as one integrity issue and only award once.

Investigating and reporting issues

Please do not engage in any activity that would be disruptive or damaging to your fellow users or to dfuse.

If you have found an integrity issue, please submit a report through the HackerOne Platform. Only issues reported through the Platform will be considered for the bounty. For other questions unrelated to this Program, please reach out through normal means such as our Telegram channel __

Please include the following in your report:

  • Code used to call the endpoint, with surrounding initialization methods, with the exception of API key material
  • Endpoint and method called
  • Date and time of the requests
  • What you expected the data to be
  • One or more data points from non-dfuse sources that you used to compare the data References to block ids and transactions
  • The Data Integrity Protocol Proof we returned through the endpoint - See the documentation for details __
  • Your name and country

Please be available to cooperate with our engineering team to provide further information on the issue if needed.

Please submit your report as soon as you have discovered a data integrity issue. dfuse will consider the maximum impact and will choose the reward accordingly. We may pay different rewards for otherwise well written and useful submissions where the reporter didn't notice or couldn't fully analyze the impact of a particular issue.

Please note that you will qualify for a reward only if you were the first person to alert us to a previously unknown flaw. We will update you on the progress of your report­ when it is accepted, validated, fixed and when the bounty is paid out.

Legal

You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

In Scope

Scope Type Scope Name
web_application

https://mainnet.eos.dfuse.io


This program leverage 1 scopes, in 1 scopes categories.

FireBounty © 2015-2019

Legal notices