Tendermint Bug Bounty Program
At Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.
Bounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.
Rewards for bugs will be classified into these categories for payout:
* Critical $2,500 and up
* High $1000 and up
* Medium $500 and up
* Low up to $100
While there is no maximum program reward, we will reward creative or severe bugs accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.
If we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.
Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated.
Tendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.
At present, only the tendermint repo and the abci, go-amino, go-crypto and iavl libraries are in-scope. To qualify for a bounty, bugs must be:
* Valid on the master branch of the corresponding repository
* Valid for 64-bit machines with at least 2 GB RAM.
* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.
* Valid using Tendermint’s built in persistent_dummy application
We’re interested in a full range of bugs: from those that can be demonstrated with a simple unit test, to those that require a full cluster and a complex sequence of transactions.
Examples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.
Please see here (https://tendermint.readthedocs.io/en/master/install.html) for a quick-start guide to getting Tendermint running in your environment so you can start hunting for bugs.
Please note that only the tendermint repo and libraries are in scope for this bounty.
All other associated websites and services are out of scope, including:
Though bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services.
Scanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, issues requiring social engineering components are ineligible for reward as part of this program.
| happy |
| hunting! |
Hall of Fame