The value of rewards paid out will vary depending on severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood
Our bug bounty program spans end-to-end: from soundness of protocols (such as the blockchain consensus model, the wire and p2p protocols, proof of work, etc.) and protocol implementation. Classical client security as well as security of cryptographic primitives are also part of the program. Details on the scope follow:
Protocol Design Security
RSK protocol stack has some similarities with Ethereum, but differs in many ways. Most of the protocols, such as consensus, blockchain synchronization, state trie and EVM have been redesigned or modified. As there is no currently formal description of these new protocols, vulnerabilities in the protocol design would be evaluated against the intended functionality, which may not be evident.
We encourage researchers to look for problems in the design of the following areas:
Implementation security Client protocol implementation security
Assuming that the protocols and algorithm designs are flawless, does a client implementation conform to the intended behaviour? Issues could include:
This category focuses on generalized attacks on the whole network or a subset of it:
Attacks on a single RSK client relating to the RSK platform:
This category addresses more classical security issues:
Applied Cryptographic security
This category includes:
The bug bounty program is time limited?
No end date is currently set.
How are bounties paid out?
Rewards are paid out in BTC after the submission has been validated, usually a few days later. Local laws require us to ask for proof of your identity. In addition, we will need your BTC address.
I reported an issue / vulnerability but have not received a response.
We aim to respond to submissions as fast as possible. Feel free to email us if you have not received a response within a day or two.
I want to stay anonymous.
Submitting anonymously or with a pseudonym is OK, but will make you ineligible for BTC rewards. To be eligible for BTC rewards, we require your real name and a proof of your identity. Donating your bounty to a charity doesn’t require your identity.
I have further questions.
Email us at firstname.lastname@example.org
Do you have a PGP key?
If you consider the finding to be of high or critical security, please submit your report encrypted to the PGP public key that can be downloaded from here: https://secchannel.rsk.co/
The bug bounty program aims to encourage the academic, hacker, and development communities to analyze the RSK platform and help improving it. RSK can cancel the program at any time, at its sole criteria and decision. Also, RSK has the full and exclusive right and power to modify or amend, at its sole decision, the terms and conditions of the program, including the rewards rules. The changes will come into effect on the revision date shown in the revised terms. By continuing to use the program you are agreeing to the revised terms. Every award, reward and/or payment to be done under this terms and conditions of the program shall be determined at the sole discretion of RSK. All award, reward and/or payment are subject to applicable law. In addition, RSK is not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists set forth by the Organization for Economic Co-operation and Development (OECD). You will be the only and exclusive responsible for all the applicable taxes accrued over the rewards and/or payment to be done under this program. In order to receive the applicable reward, your vulnerability research must not violate any law or compromise any data that is not of your property. In addition, RSK will not be responsible for any breach or violation of any third party right or property that you may had incurred during your testing process and your participation in the program. To the fullest extent permitted by law, you shall defend, indemnify and hold harmless RSK and its respective members, partners, managers, officers, affiliates, employees, agents and assignees from and against any and all liability (common law, equitable, statutory and/or punitive), claims, suits, losses, damages, demands and expenses (including, without limitation, reasonable attorneys’ fees and costs) brought by third parties arising out of, or related to, your testing process or vulnerability research. In consideration of the vulnerability reports and the assignments mentioned hereof, RSK will pay you the reward which will be set forth at the sole discretion of RSK using the To the maximum extent permitted by applicable law, you hereby release and waive all claims against RSK, its subsidiaries, affiliates, officers, agents, licensors, co-branders or other partners, and employees (Hereinafter, the "Representatives") from any and all liability for claims, damages (indirect, special, incidental, punitive, actual and/or consequential), costs and expenses (including litigation costs and attorney's’ fees) of every kind and nature, arising from or in any way related to your participation in the Program. In addition, you expressly waive and relinquish any and all rights and benefits which you may have under any particular state or federal statute or law principle to the fullest extent permitted by law. Participants in the Program understand and acknowledge that through their participation there´s no creation, and should not be interpreted or construed as creating, any agency, partnership, joint venture, franchise, or employment relationship between the participant and RSK. If any provision of this Program is found to be invalid (partially or totally), participants nevertheless agree to give effect to RSK´s intentions as reflected in the provision and that the other provisions remain in full force and effect. This Terms & Conditions shall be governed by and construed in accordance with the laws of the British Virgin Islands. State of New York without regard to principles of conflicts of law. Any and all differences, controversies and disputes of any nature whatsoever arising out of or relating to this Program, including any dispute relating to its validity, interpretation, performance or termination, shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by three arbitrators appointed in accordance with said Rules. The arbitration proceedings shall be conducted in the English language and the seat of the arbitration shall be the British Virgin Islands. The arbitrators appointed in connection herewith shall be knowledgeable in the laws of the British Virgin Islands and fluent in the English language. All submissions and awards in relation to arbitration under this Terms shall be made in English, and all arbitration proceedings and all pleadings shall be in English. Witnesses not fluent in English may give evidence in their native tongue (with appropriate translation). Original documents in a language other than English shall be submitted as evidence in English translation accompanied by the original or true copy thereof. The procedural rules governing arbitration hereunder shall be established by the arbitrators; provided that (i) each party may call upon the other party to supply the arbitrators with documents in such other party's control relevant to the dispute; (ii) each party shall be entitled to present the oral testimony of witnesses as to fact and expert witnesses; (iii) each party shall be entitled to question directly any witnesses who present testimony to the arbitrators and (iv) at the request of any party, a written transcript in English shall be made of each hearing before the arbitrators and shall be furnished to the parties. The arbitrators may, at the request of any party, order provisional or conservatory measures; provided that to the extent necessary to prevent irreparable damage any party may petition any court of competent jurisdiction for a preliminary injunction, temporary restraining order or other interim equitable relief pending the appointment of the arbitrators and action by the arbitrators upon any request for provisional or conservatory measures. Each party participating in such arbitration shall pay its own legal fees and expenses incurred in connection with the arbitration and the expense of any witness produced by it. The cost of any stenographic record and all transcripts thereof shall be pro-rated equally among all parties ordering copies and shall be paid by the parties directly to the reporting agency. All other expenses of the arbitration, including required traveling and other expenses and fees of the arbitrators and the expenses of any witness or the cost of any proof produced at the request of the arbitrators, shall be borne as determined by the arbitrators. Any award shall be final and not subject to appeal and the parties waive all rights to challenge any award of the arbitrators. Any award may be entered or presented by any of the parties for enforcement in any court of competent jurisdiction sitting in the British Virgin Islands, and the parties hereby consent to the jurisdiction of such court solely for purposes of enforcement of any award.