2key network offer financial rewards to community members for identifying and reporting valid vulnerabilities and exploits on the 2key network. One of the foundations of decentralized security is community-driven auditing. 2key network encourage you to identify bugs, penetration vectors, financial attack vectors, and other issues that may destabilize the network and its functioning.
To report a potential bug, please fill out the form below with detailed and comprehensive information.
2key team review and prioritize the reported bugs and implement fixes within 90 days. So if you reported an issue, allow the team this time to push the fix before publicly publishing it.
Rewards for reporting bugs will be in 2KEY tokens.
The reward‘s amount is proportional to the severity of the issue reported. Once you send the completed form, dev team assigns a severity score to your issue and given priority.
The assessment team will follow the OWASP risk rating model based on Impact and Likelihood of the reported issue:
The amount of 2KEY reward given per report will depend on the following factors:
Here are the approximate maximum amounts of 2KEY reward (in USD) that will be given by declining order of issue severity:
2Key team encourage you to uncover issues with the following characteristics:
Please make sure to report issues that appear on 2key.io and the related Main-Net environment, and check whether they are already fixed or addressed on testing environment (test.2key.io). As future specs are continuously developed and deployed, team will review issues in the context of the current expected behavior on main-net, excluding issues already being fixed to be launched on staging (test.2key.io).
The Bug Bounty program started with 1,000,000 (1M) 2KEY tokens budget on Nov 2019.
The first reporter bringing attention to a valid issue is always eligible for a reward. Occasionally, 2key might elect to give rewards to the first few people signaling the same issue within 7-14 days of the first report.
In general, the following will not meet the threshold for bug-bounty eligibility:
For any remaining questions, please send an email: firstname.lastname@example.org