This week, we’ve updated the scope of our bounty program to include a few new assets, and to increase the rewards for valid CosmosSDK bugs reported to through our program. From now until mainnet launch, we’ll be paying all Cosmos-SDK bounties out at a reward rate of 1.5x.
If you report a valid CosmosSDK bug to us, your bounty for it could be:
- Critical: $3,750 and up
- High: $1,500 and up
- Medium: $1,000 and up
- Low: $200 and up
In terms of bounty payouts, we’ve deliberately structured our program to list the minimum amount you would be rewarded for finding a bug and not the maximum amount for a specific severity. We’ve chosen this route for a few reasons: we believe it is the most realistic way to run an ethical program that improves the resilience and security of our code, we believe that no one wins when payout amounts for a bug are capped, and we want to ensure that we are focused on competitively and fairly rewarding researchers for their finds.
As bug bounty programs have exploded in popularity over the past 5+ years, there has been a not-so-great trend where some programs marketed large, flashy maximum payout amounts to bug hunters-- perhaps $100,000 or even $1 million-- but the scope of the program stacked the odds against researchers and all but ensured that the reward was impossible to claim because the tools and tactics that would help a researcher get there would be out of bounds. That isn’t fair to researchers, and in many cases, the large reward was more of a distraction than an incentive to encourage researchers to surface and report issues that pose a real security risk to code and the people who trust, depend, and rely on it. We definitely aren’t interested in any of that, so when we’re calculating a reward for a bug submitted to our programs, we consistently consult our CVSS scoring tools (among other things) to help judge criticality, and we pay attention to HackerOne’s suggested payout amounts for bugs.
What that means for you, especially if you’re a bug hunter or you’re already actively contributing to our repositories and killing bugs as you go, is that the amounts listed above for Cosmos-SDK bugs are just the starting point for a bounty reward from now until mainnet launch. And if you write a clear, concise report or include a proof-of-concept that recreates the issue and makes the validation process for our team easier, your payout may be higher as we are always willing to pay out a bonus for your extra time, effort, and work.
In addition to increasing program rewards for the Cosmos-SDK, this week we’ve also added the repositories that are home to our Ledger App to our bug bounty program. (Side note: the Ledger Nano now comes in ALL the colors and they look amazeballs!!1!) So if you have some time over the holidays, check out our bug bounty program here.
Happy hacking, and of course, happy holidays!