Bug Bounty Program¶
The Alpha launch bug bounty program aims to allow the users to identify and raise issues that they might face while using the application. The program will run for a duration of 10 days starting from the launch (until 25th June, 12:00 UTC) with rewards totalling $25,000 to be distributed.
Learn more about the pSTAKE Alpha launch.
NOTE: Only Test ATOMs and ETH (Ropsten) is used in the Bug Bounty Program and not real assets(or coins).
Bugs Categorization¶
The criticality of potential bugs on pSTAKE have been categorized into three categories. These categories and the reward eligibilities thereof are as follows:
| Category | Rewards | Description |
|---|---|---|
| High | $1000 | An issue that might cause immediate loss of the funds or permanent/severe damage of the protocol state |
| Medium | $500 | An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction |
| Low | $100 | An issue that might cause user dissatisfaction or minimal failure of the application |
The issue category will be decided by pSTAKE and shall not be open to dispute.
Out-of-Scope Vulnerabilities¶
Some of the vulnerabilities that are excluded from this bug bounty program rewards:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain¶
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Sybil attacks
Websites and Apps¶
- Theoretical vulnerabilities without any proof or demonstration
- Content spoofing / Text injection issues
- Self-XSS
- CSRF with no security impact (logout CSRF, change language, etc.)
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Server-side information disclosure such as IPs, server names, and most stack traces
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerabilities requiring unlikely user actions
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Lack of SSL/TLS best practices
- DDoS vulnerabilities
- Attacks requiring privileged access from within the organization
- Feature requests
Ground Rules¶
Every game comes with a set of rules:
- Rewards will be decided on a case by case basis and the bug bounty program terms and conditions are at the sole discretion of pSTAKE.
- All bugs raised will be verified and approved by pSTAKE. The protocol will also decide the category of the raised bugs.
- Duplicated issues are not eligible for reward. The first submission would be the eligible one.
- If you want to add more information to a provided issue, create a new submission giving reference to the initial one.
- Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of pSTAKE.
- Issue submissions need to be within the bug bounty scope and issues out of scope aren't eligible for rewards.
- The following activities are prohibited by bug bounty program:
- Public disclosure of a vulnerability
- Any testing with mainnet
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Any physical attempts against pSTAKE property or data centers
- Social engineering (including phishing) of pSTAKE staff or contractors
- The rewards for the program shall be disbursed to the eligible participants within 30 days of the program’s conclusion.
- Terms and conditions of the bug bounty process may vary over time.