Additions to the bug bounty program

As we move closer to mainnet launch, we’re more actively stressing, testing, and evaluating our code than ever: whether we’re testing the cryptoeconomic design of the network through Game of Stakes, wrapping up and finalizing our last set of assessments through robust audits, or engaging in our own exhaustive internal bug-hunting, we are working diligently to identify and mitigate as much security risk as quickly as we can. This week, we’ve expanded the scope of our bug bounty program to provide more opportunities for bug hunters to be rewarded for finding and disclosing issues that present demonstrable security risk. Our latest additions to the program include:

• Cosmos-SDK

The Cosmos-SDK is one of the newest development projects from the Tendermint team and it has been actively growing, changing and evolving throughout 2018. Because it is a framework that enables blockchain interoperability, the SDK is a complex codebase. Since this is the first time the code has been part of the bounty program, spending extra time getting to know the its ins and outs (especially Proof-of-Stake mechanisms) may be worth your while if you’re a security researcher, hacker, or blockchain developer— we’re looking forward to rewarding creative bugs that come our way, and expect to see at least a few as the code is in the early stages of its security lifecycle.

• Signatory, KMS, YubiHSM-rs

One of the most security-critical tasks that Cosmos validators will undertake while operating a node is defending against attacks on keying material. To help validators build better defense-in-depth strategy, we’ve built a few tools to give them options to support diverse architectures and security designs. If you’re a bug hunter with experience in HSMs, key management, and/or encryption, it may be worth your while to spend some time in this part of our program.

• Tendermint core

Technically, Tendermint core has been part of the bounty program since its launch, but it would be rude to write a bug bounty post and not mention the OG at all. Over the better part of this year, we’ve had some fantastic bugs and contributors come our way— clearly, the mempool was the hottest hit of the summer— and we’ve worked closely with the community to surface great p2p layer bugs while spinning up testnets. If you have a bit of spare time on your hands, check out our latest releases or take a look at the mempool or p2p layer for a bit of inspiration.

For more information about our bug bounty program and rewards, visit our HackerOne page here.

This week, we’ve updated the scope of our bounty program to include a few new assets, and to increase the rewards for valid CosmosSDK bugs reported to through our program. From now until mainnet launch, we’ll be paying all Cosmos-SDK bounties out at a reward rate of 1.5x.

If you report a valid CosmosSDK bug to us, your bounty for it could be:

• Critical: $3,750 and up
• High: $1,500 and up
• Medium: $1,000 and up
• Low: $200 and up

In terms of bounty payouts, we’ve deliberately structured our program to list the minimum amount you would be rewarded for finding a bug and not the maximum amount for a specific severity. We’ve chosen this route for a few reasons: we believe it is the most realistic way to run an ethical program that improves the resilience and security of our code, we believe that no one wins when payout amounts for a bug are capped, and we want to ensure that we are focused on competitively and fairly rewarding researchers for their finds.

As bug bounty programs have exploded in popularity over the past 5+ years, there has been a not-so-great trend where some programs marketed large, flashy maximum payout amounts to bug hunters-- perhaps $100,000 or even $1 million-- but the scope of the program stacked the odds against researchers and all but ensured that the reward was impossible to claim because the tools and tactics that would help a researcher get there would be out of bounds. That isn’t fair to researchers, and in many cases, the large reward was more of a distraction than an incentive to encourage researchers to surface and report issues that pose a real security risk to code and the people who trust, depend, and rely on it. We definitely aren’t interested in any of that, so when we’re calculating a reward for a bug submitted to our programs, we consistently consult our CVSS scoring tools (among other things) to help judge criticality, and we pay attention to HackerOne’s suggested payout amounts for bugs.

What that means for you, especially if you’re a bug hunter or you’re already actively contributing to our repositories and killing bugs as you go, is that the amounts listed above for Cosmos-SDK bugs are just the starting point for a bounty reward from now until mainnet launch. And if you write a clear, concise report or include a proof-of-concept that recreates the issue and makes the validation process for our team easier, your payout may be higher as we are always willing to pay out a bonus for your extra time, effort, and work.

In addition to increasing program rewards for the Cosmos-SDK, this week we’ve also added the repositories that are home to our Ledger App to our bug bounty program. (Side note: the Ledger Nano now comes in ALL the colors and they look amazeballs!!1!) So if you have some time over the holidays, check out our bug bounty program here.

Happy hacking, and of course, happy holidays!