2key Bug Bounty Program
Add to Watchlist
Added to Watchlist
Reward pool
~ $50,000
1,000,000 2KEY
Expected profit
$100 - 5,000
equal in 2KEY
Max participants
∞
No limit
DropsEarn score
Neutral
Hard, Low Risks
How To Participate:
Detailed Information
To report a potential bug, please fill out the form below with detailed and comprehensive information.
2key team review and prioritize the reported bugs and implement fixes within 90 days. So if you reported an issue, allow the team this time to push the fix before publicly publishing it.
Rewards
Rewards for reporting bugs will be in 2KEY tokens.
The reward‘s amount is proportional to the severity of the issue reported. Once you send the completed form, dev team assigns a severity score to your issue and given priority.
The assessment team will follow the OWASP risk rating model based on Impact and Likelihood of the reported issue:
The amount of 2KEY reward given per report will depend on the following factors:
- Demonstration of how the issue may be exploited to maximum effect
- Severity of the issue
- Complexity in solving the issue
- Reproducibility of the issue
- Includes a pull request for a valid fix of the issue
Here are the approximate maximum amounts of 2KEY reward (in USD) that will be given by declining order of issue severity:
- Critical: up to 5000 USD
- High: up to 1,000 USD
- Medium: up to 500 USD
- Low: up to 100 USD
2Key team encourage you to uncover issues with the following characteristics:
- Contracts logic flaws / security issues / financial breaches
- Contracts possible exploits and vulnerabilities - both architecture and implementation
- Contracts upgradability and versions schema attack vectors
- 2key protocol: bugs, vulnerabilities, exploits, security breaches, cryptography errors
- API: exploits, data breaches, data leakages, permissions breaches, wrong behavior.
- Dapp: crashes, stalls, funnel blocks, usability errors etc..
- Game Theory attack vectors, collusion network vectors etc.. which may be carried out on existing product.
Please make sure to report issues that appear on 2key.io and the related Main-Net environment, and check whether they are already fixed or addressed on testing environment (test.2key.io). As future specs are continuously developed and deployed, team will review issues in the context of the current expected behavior on main-net, excluding issues already being fixed to be launched on staging (test.2key.io).
The Bug Bounty program started with 1,000,000 (1M) 2KEY tokens budget on Nov 2019.
Eligibility
The first reporter bringing attention to a valid issue is always eligible for a reward. Occasionally, 2key might elect to give rewards to the first few people signaling the same issue within 7-14 days of the first report.
In general, the following will not meet the threshold for bug-bounty eligibility:
- Issues on a test environment that have just been deployed and are work-in-progress by the 2key devs
- Any issues on 3rd party sites/apps unless they are directly linked to an exploit or bug specific to 2key
- Issues depending or arising from physical attacks
- Game-theoretic issues
- Known Issues
- Issues affecting outdated or unpatched browsers
- Issues that have not been thoroughly investigated and comprehensively reported
- Issues that cannot be reproduced
Scope
- App: https://2key.io
- API: api.2key.network
- Contracts: master deployed version - github.com/2key/contracts → tag as taken from get2keyProtocolVersion(). Run this command on the console from within the 2key staging app.
For any remaining questions, please send an email: [email protected]
About
2key network offer financial rewards to community members for identifying and reporting valid vulnerabilities and exploits on the 2key network. One of the foundations of decentralized security is community-driven auditing. 2key network encourage you to identify bugs, penetration vectors, financial attack vectors, and other issues that may destabilize the network and its functioning.
1 Nov 2019 00:00(UTC+3) - 1 Nov 2020 00:00(UTC+3)
Closed
None