Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
28/08/2019
Libra logo
Thanks
Gift
Hall of Fame
Reward

Reward

In Scope

Scope Type Scope Name
web_application https://github.com/libra/libra/

Libra

About Libra

Welcome to the Libra Blockchain Bug Bounty!

Libra’s mission is to enable a simple global currency and financial infrastructure that empowers billions of people. Libra is built on a secure, scalable, and reliable blockchain. The blockchain has been built from the ground up to prioritize scalability, security, efficiency in storage and throughput, and future adaptability.

We have launched the Libra testnet, a live demonstration of an early prototype of the Libra Blockchain software, also known as Libra Core. The Libra testnet is comprised of test validator nodes running Libra Core, the software which maintains the Libra cryptocurrency. In contrast to the forthcoming Libra mainnet, the testnet uses a digital currency with no real-world value.

In the meantime, this project is at an early prototype stage. Please let us know what you think. We are especially interested in your review of the security and privacy architecture and design as well as -- of course -- your bug reports.

To learn more about the Libra project goals, please refer to the Libra White Paper __.

Introduction

If you believe you have found a security vulnerability in any software or on any application related to Libra, we encourage you to let us know right away. We will investigate all legitimate reports. Before testing and reporting, please carefully read the terms below.

Bounty Program Terms

Libra practices public disclosure. Only resolved reports are eligible for disclosure, and the Libra Association must approve all disclosure requests. If a researcher publicly discloses any vulnerability information without approval from the Libra Association, the researcher will be considered in breach of this policy and not protected by Safe Harbor.

When submitting a bug report you agree to abide by the following terms and conditions (“Terms”). Failure to abide by these Terms could result in you not receiving a reward in addition to any other rights or remedies the Libra Association may have. Libra Association employees, Libra Association member employees, and Libra Association vendor employees are all strictly prohibited from participating in this bounty program. In addition to these Terms, your use of Libra Association services, including for purposes of this program participating in the bounty program, is subject to the Libra Association Code of Conduct __.

1. Recognition and Rewards

  • The Libra Association recognizes and rewards security researchers who help us keep people and assets safe by reporting vulnerabilities to our program. Monetary bounties for such reports are entirely at the Libra Association’s sole discretion, based on severity, impact and other factors.

2. To potentially qualify for a bounty, you must first meet these

requirements:

  • Adhere to these Terms and HackerOne disclosure guidelines __.
  • You are not prohibited under applicable law from receiving any product, software or service offered by HackerOne or the Libra Association.
  • Report a security bug: that is, identify a vulnerability in Libra which can create a security risk. (Note that the Libra Association ultimately determines the severity of an issue in its sole discretion, and that many software bugs are not security issues.)
  • Describe in your report a problem involving one of the security issues listed as “In-Scope” (see section below). Note that certain types of potential security issues are excluded from this bounty program; these are listed under “Out of Scope” (see section below).
  • Submit your report via the Libra Security Page __. Submit one issue per report and respond to the report with any updates. Please do not contact Libra Association employees directly or through other channels about a report.
  • Disclose in your report if you inadvertently cause a privacy violation or disruption (such as accessing private data, service configurations, or other confidential information) while investigating an issue.

3. Requirements on Those Submitting Reports

  • You represent that your bug report is your original idea and work product and has not been copied or misappropriated from any third party.
  • You will submit bug report only from email or other accounts that you own or with explicit permission of the account holder.
  • You will not exploit a security, privacy or other issue you discover for any reason. (This includes demonstrating additional impact, such as attempted compromise of sensitive data or probing for additional issues.)
  • You will not violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data or computer systems.
  • You will not violate the intellectual property or other rights of any third party.
  • You will not attempt to introduce any virus or malicious code into any computer system or data.

4. Evaluation Criteria

The following sets forth the Libra Association’s evaluation criteria. Each of these criteria is applied at the Libra Association’s sole and final discretion. This includes decisions as to whether bug is in-scope of out-of- scope. Decisions of the Libra Association are not appealable. By submitting a bug report you acknowledge and agree to this discretion.

  • Although we will try and investigate and respond to all valid reports, we do not guarantee that we will do. Similarly, we will seek to prioritize evaluations based on risk and other factors, but do not guarantee that we will do so.
  • We determine bounty amounts based on a variety of factors, including (but not limited to), impact, ease of exploitation, and quality of the report.
  • In the event of duplicate reports, we award a bounty to the first person to submit an issue based on our sole determination. The Libra Association determines duplicates and may not share details of the other reports.
  • A given bounty is only paid to one individual. Therefore if you submit a report from multiple individuals you must designate who will receive the bounty, if any. Failure to designate an individual means the Libra Association will make that determination in its sole discretion. For reports submitted by multiple individuals, it is up to those individuals to determine how the bounty, which the Libra Association will pay to only one individual, will be allocated.
  • We reserve the right to publish reports (and accompanying updates) with hacker approval.
  • In some cases, bounty awards might not be permitted to be paid under the applicable laws of your jurisdiction. In those cases, your bounty award will be forfeited.

5. Security Concerns That Are In Scope

Security is critical to Libra’s global mission. In particular we want to guard against:

  • Forks
  • Transactions tampering
  • Block tampering
  • Validator compromise
  • Denial of Service due to a single or unique set of limited requests (attacks relying on numerous/spam requests are out of scope)
  • Double spending

We welcome your assessments and identification of risks and flaws in the general security of the Libra Blockchain, including:

  • Design or architecture
  • User or developer experience
  • Admission Control
  • Move language and Move VM
  • Information serialization and de-serialization
  • Buffer management
  • Consensus
  • Transactions
  • Smart contracts
  • Cryptographic primitive
  • Sample wallet

6. Security Concerns That Are Out of Scope

  • Spam or social engineering techniques
  • Denial-of-Service (due to numerous/spam requests or distributed attacks)
  • Security issues in third-party software or websites that integrate with the Libra Blockchain, except in the specific circumstances described in the Libra Bug Bounty program scope.
  • Reliability of the infrastructure hosting testnet

7. Non-Libra Issues Discovered

If you are looking to report another type of issue, please use the links below for assistance.

8. Amount of Bounty

  • The Libra Association will determine the amount of the bounty you are to receive, if any, in its sole and absolute discretion. These decisions are made on a case-by-case basis and are not appealable. The maximum amount of a bounty is $10,000.

9. General

  • We may cancel or modify this program or these Terms at any time. The Terms that apply to you are those posted here as of the date of your submission. Please check the latest Terms before you submit your report.
  • The Libra Association shall not be liable in any way for any claims arising from your use of the bounty program or your submitted reports. You hereby indemnity and hold harmless the Libra Association and its officers, directors, and employees from any claims arising from your breach of these Terms.
  • We (and any Libra Association member companies that is the subject of your report) may retain any communications about security issues you report for as long as we deem necessary.
  • All taxes on a bounty, if any, are the responsibility of the bounty recipient.
  • These Terms shall be governed by the laws of Switzerland.

Submission Criteria

  • Summary of vulnerability and impact
  • Steps to reproduce
  • Working proof of concept

Response Targets

Response Target | Time (in business days)
---|---
First response (from report submit) | 2 days
Triage (from report submit) | 2 days
Bounty (from report triage) | 14 days
Resolution | Depends on severity and complexity

Libra Association User Terms

Note that your use of Libra Association services, including for purposes of this program, is subject to the Libra Association Code of Conduct __. We (and any Libra Association member company that is the subject of your report) may retain any communications about security issues you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.

Reporting Non-Libra Vulnerabilities

If you are looking to report another type of issue, please use the links below for assistance.

FireBounty © 2015-2019

Legal notices