As we move closer to mainnet launch, we’re more actively stressing, testing, and evaluating our code than ever: whether we’re testing the cryptoeconomic design of the network through Game of Stakes, wrapping up and finalizing our last set of assessments through robust audits, or engaging in our own exhaustive internal bug-hunting, we are working diligently to identify and mitigate as much security risk as quickly as we can. This week, we’ve expanded the scope of our bug bounty program to provide more opportunities for bug hunters to be rewarded for finding and disclosing issues that present demonstrable security risk. Our latest additions to the program include:
The Cosmos-SDK is one of the newest development projects from the Tendermint team and it has been actively growing, changing and evolving throughout 2018. Because it is a framework that enables blockchain interoperability, the SDK is a complex codebase. Since this is the first time the code has been part of the bounty program, spending extra time getting to know the its ins and outs (especially Proof-of-Stake mechanisms) may be worth your while if you’re a security researcher, hacker, or blockchain developer— we’re looking forward to rewarding creative bugs that come our way, and expect to see at least a few as the code is in the early stages of its security lifecycle.
- Signatory, KMS, YubiHSM-rs
One of the most security-critical tasks that Cosmos validators will undertake while operating a node is defending against attacks on keying material. To help validators build better defense-in-depth strategy, we’ve built a few tools to give them options to support diverse architectures and security designs. If you’re a bug hunter with experience in HSMs, key management, and/or encryption, it may be worth your while to spend some time in this part of our program.
- Tendermint core
Technically, Tendermint core has been part of the bounty program since its launch, but it would be rude to write a bug bounty post and not mention the OG at all. Over the better part of this year, we’ve had some fantastic bugs and contributors come our way— clearly, the mempool was the hottest hit of the summer— and we’ve worked closely with the community to surface great p2p layer bugs while spinning up testnets. If you have a bit of spare time on your hands, check out our latest releases or take a look at the mempool or p2p layer for a bit of inspiration.
For more information about our bug bounty program and rewards, visit our HackerOne page here.