In order to provide the best quality of the product to the community, we are starting WAVES Bug Bounty Program.
The scope of the Program: versions of the Node which currently deployed to official nodes on MainNet. We are interested in security issues, issues which can break the blockchain consensus, issues leading to inoperability of the Node.
RULES & REWARDS
Please have a look at the bullets below before starting your hunt!
- Issues that have already been submitted by another user or are already known to the WAVES team are not eligible for bounty rewards.
- Public disclosure of vulnerability makes it ineligible for a bounty.
- WAVES core development team, employees are not eligible for rewards.
- WAVES Bug Bounty Program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the WAVES Bug Bounty Panel.
The value of rewards paid out will vary depending on severity.
WAVES Bug Bounty Panel decides on the severity of the bug based (but not limited) on:
- the complexity of the conditions for the occurrence (the number of conditions that must coincide)
- how typical these conditions are for the most use cases
- how often functions in which the bug is found are used
- reproduction stability
- ability to break the consensus rules
- could it be used for unfair money getting
- could it be used for DoS
- could it lead to the fork
- does it lead to Node inoperability
The minimum payout is 10 WAVES and the maximum is 2000 WAVES for the most bugs.
The highly critical bugs can be valued by the WAVES Bug Bounty Panel above the maximum.
Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the WAVES Bug Bounty Panel.
Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with paid WAVES accumulating over the course of the Program.
In addition to severity, other variables are also considered when the WAVES Bug Bounty Panel decides the reward, including (but not limited to):
- quality of description. Higher rewards are paid for clear, well-written submissions.
- quality of reproducibility. Please include detailed instructions.
- quality of fix, if included. Higher rewards are paid for submissions with a clear description of how to fix the issue.
How to report a bug
Just send your bug report to [email protected].
Important Legal Information
The WAVES Bug Bounty Program is an experimental and discretionary rewards program for our active WAVES community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the Program at any time, and awards are at the sole discretion of WAVES Bug Bounty Panel. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.