Over the past week, we’ve been discussing ways to help Game of Stakes participants navigate the registration process, especially completing the AWS penetration testing form mentioned in the GoS guidelines. To give participants a bit more time to ensure they’re respecting platform policies, we’ve extended the deadline for Game of Stakes registration through October 22nd.
On our end, we’ve evaluated a few different options to help participants meet the requirements of the pentesting form. A few options we’ve discussed (and dismissed) have included:
-
Setting up a VPN that participants could connect to and use to send attack traffic. This option mirrors a practice used in some bug bounty programs, and it would ensure that participants on AWS were respecting policy though it presented a few downsides that would require amending contest guidelines.
-
Collecting IP addresses from participants. This could be an unwieldy process and may not result in an complete and exhaustive list, but it would enable participants on AWS to meet the information requirements of the pentesting form and respect usage policies.
-
Encouraging participants to fill out the form without providing IPs, and instead providing a description of the challenge and its goals with an additional note about potential adversarial activity during the testing of our distributed network. Given how their approvals process works, this probably wasn’t going to end the way we wanted it to so it landed in the “No” pile pretty quickly.
After reflecting on our biggest goals for the contest and reaching out to a few contacts for clarification around conflicting advice, we realized that the options we had been discussing were unnecessary (and kind of a pain, tbh).
When we wrote the guidelines for Game of Stakes, I initially recommended that we mention the pentest form in the guidelines out of an abundance of caution— but Game of Stakes is a cryptoeconomic challenge in an adversarial environment, not a formal pentesting engagement with intrusion technology at the core.
What that means for participants on AWS is pretty simple: you can forget about the pentesting form. Instead, what you will need to do to ensure compliance with AWS policy is request authorization for a simulated event.
To do that, you’ll need to send an email to aws-security-simulated-event@amazon.com, and per Amazon’s guidelines (scroll down to “Simulated Events” to confirm), and provide them with information about:
- Dates
- Accounts involved
- Contact information including phone number
- Detailed description of the planned events
For the purposes of this form, the best date range to use is October 26th through November 30th. To provide the best answer for the question about accounts involved, you may want to include the AWS accounts of validators you may be working to collude with during the challenge, and also mention that this is a test of a decentralized network so there will participants that you may not be able to include information for. If you’d like to supply contact information for Tendermint team in the form, you are welcome to include security@tendermint.com in your response… if they reach out to us, I will definitely see it there. Additionally, you can always use our Game of Stakes blog posts and the guidelines to add to your description of planned events.
After reaching out to AWS, you should receive an email confirming receipt of your submission from a human who works for them within 2 business days.
If you’ve filled out the pentesting form already, if you’re waiting for a response, or if it has been stressing you out, thank you for bearing with us and being patient through this last change in the run up to the game.
May the odds be ever in your favor 