One of the foundations of decentralized security is community-driven auditing. We encourage you to identify bugs, penetration vectors, front-end vulnerabilities, financial attack vectors, and other issues that may risk or destabilize the network and its operations.
How it Works
To report a potential bug, please fill out the form below with detailed and comprehensive information.
Our team reviews and prioritizes reported bugs and implements fixes accordingly. Please allow us time to correct an issue before making it public.
Rewards
Rewards are proportional to the severity of the reported issue. Upon receipt of the completed form, our development team assigns a severity score to the problem and prioritizes it accordingly.
The assessment of the reported bug will follow the OWASP risk rating model based on the impact and likelihood of the reported issue:
The following factors determine the reward amount per report:
- Demonstration of how the issue may be exploited to maximum effect.
- The severity of the issue.
- Issue complexity.
- Reproducibility of the issue.
- Existence of a Pull request with a valid fix of the issue.
Below is a list of the approximate maximum amounts distributed, listed by order of bug severity:
Low
up to 100 USD
Medium
up to 500 USD
High
up to 2,000 USD
Critical
up to 5,000 USD
Stable tokens or an equivalent amount in PORTX tokens will be rewarded for valid bug reports. We might even pay higher amounts if we find the bug supercritical.
We encourage you to uncover issues with the following characteristics:
Contracts
Logic flaws / security issues / financial breaches.
Contracts
Possible exploits and vulnerabilities - both in architecture and implementation.
Contracts
Upgradability and versions of schema attack vectors.
ChainPort Protocol
Bugs, vulnerabilities, exploits, security breaches, cryptographic errors
Front-end
Possible exploits by inserting malicious code, XSS attacks, clickjacking attacks any or vulnerabilities during Web3 interactions
API
Exploits, data breaches, leakages, permissions breaches, wrong behavior.
Please report issues for the related mainnet environment.
As future specs are continuously developed and deployed, we will review issues in the context of the current expected behavior on the mainnet. This excludes issues already undergoing fixes to be launched in the next version.
*We reserve the right to enlarge this pool or modify the reward amount without prior notice.
Eligibility
The first reporter who brings attention to a valid issue will be rewarded. ChainPort’s team might also choose to reward the first few people signaling the same problem within 7-14 days of the initial report.
The following will not meet the eligibility threshold for the bug bounty:
- Issues on a test environment that have just been deployed and are work-in-progress by the ChainPort devs
- Any issues on 3rd party sites/apps unless they are directly linked to an exploit or bug specific to ChainPort
- Issues depending on or arising from physical attacks
- Game-theoretic issues
- Known Issues
- Issues affecting outdated or unpatched browsers
- Issues that have not been thoroughly investigated and comprehensively reported
- Issues that cannot be reproduced
We ask and encourage the community to report any bugs, even if it's not eligible for a reward.
A better ChainPort is a win for all of us 😃
Scope for
Process
For security reasons, we might fix the bug even before contacting the reporter.
