2key Bug Bounty Program

How To Participate:

• Create a 2key account at 2key.io.
• Click the “Report a bug” button on this page
• Fill the form

Detailed Information

To report a potential bug, please fill out the form below with detailed and comprehensive information.
2key team review and prioritize the reported bugs and implement fixes within 90 days. So if you reported an issue, allow the team this time to push the fix before publicly publishing it.

Rewards

Rewards for reporting bugs will be in 2KEY tokens.
‍
The reward‘s amount is proportional to the severity of the issue reported. Once you send the completed form, dev team assigns a severity score to your issue and given priority.

The assessment team will follow the OWASP risk rating model based on Impact and Likelihood of the reported issue:
 

The amount of 2KEY reward given per report will depend on the following factors:

• Demonstration of how the issue may be exploited to maximum effect
• Severity of the issue
• Complexity in solving the issue
• Reproducibility of the issue
• Includes a pull request for a valid fix of the issue

Here are the approximate maximum amounts of 2KEY reward (in USD) that will be given by declining order of issue severity:

• Critical: up to 5000 USD
• High: up to 1,000 USD
• Medium: up to 500 USD
• Low: up to 100 USD

2Key team encourage you to uncover issues with the following characteristics:

• Contracts logic flaws / security issues / financial breaches
• Contracts possible exploits and vulnerabilities - both architecture and implementation
• Contracts upgradability and versions schema attack vectors
• 2key protocol: bugs, vulnerabilities, exploits, security breaches, cryptography errors
• API: exploits, data breaches, data leakages, permissions breaches, wrong behavior.
• Dapp: crashes, stalls, funnel blocks, usability errors etc..
• Game Theory attack vectors, collusion network vectors etc.. which may be carried out on existing product.

Please make sure to report issues that appear on 2key.io and the related Main-Net environment, and check whether they are already fixed or addressed on testing environment (test.2key.io). As future specs are continuously developed and deployed, team will review issues in the context of the current expected behavior on main-net, excluding issues already being fixed to be launched on staging (test.2key.io).

The Bug Bounty program started with 1,000,000 (1M) 2KEY tokens budget on Nov 2019.

Eligibility

The first reporter bringing attention to a valid issue is always eligible for a reward. Occasionally, 2key might elect to give rewards to the first few people signaling the same issue within 7-14 days of the first report.

‍In general, the following will not meet the threshold for bug-bounty eligibility:

• Issues on a test environment that have just been deployed and are work-in-progress by the 2key devs
• Any issues on 3rd party sites/apps unless they are directly linked to an exploit or bug specific to 2key
• Issues depending or arising from physical attacks 
• Game-theoretic issues 
• Known Issues
• Issues affecting outdated or unpatched browsers
• Issues that have not been thoroughly investigated and comprehensively reported
• Issues that cannot be reproduced

Scope

• App: https://2key.io
• API: api.2key.network
• Contracts: master deployed version - github.com/2key/contracts → tag as taken from get2keyProtocolVersion(). Run this command on the console from within the 2key staging app.

For any remaining questions, please send an email: [email protected]