It is with great pleasure that team kick off the final stages of the preparation phase of the Starfleet stage today by launching the official Starfleet bug bounty program.
Bug bounty scope
The following projects are in scope for the Starfleet bug bounty program:
- The Starfleet Boarding Solidity smart contract — focusing on securing the boarding process against any potential smart contract attacks starting from January 6, 2021. A detailed specification for the smart contract is presented in the OT-RFC-10;
- The Starfleet Boarding website — ensuring the secure interaction of the Dapp with the Starfleet boarding smart contract, starting from January 25, 2021 (after the website launch); and
- The Starfleet blockchain source code: To be released prior to the mainnet launch, securing the implementation (starting date TBA).
- Low severity bugs: ~ 1000 TRAC
- Medium severity bugs: ~ 5000 TRAC
- High severity bugs: ~ 25000 TRAC
The following bug bounty rules apply to all of the above-listed projects:
- First come, first served.
- Issues that have already been submitted by another person are not eligible for bounty rewards.
- Public disclosure of a vulnerability makes it ineligible for the bounty reward.
- Hired auditors are not eligible for rewards.
- Determination of eligibility, score, and all terms related to the reward is at the sole and final discretion of OriginTrail core developers.
In addition to bug severity, the core developers will also consider the following information to determine the rewards:
- Quality of description: higher rewards are paid for clear, well-written submissions.
- Reproducibility: please include test code, scripts, or detailed instructions.
- Quality of fix, if included: higher rewards will be paid for submissions with a clear description of how to fix the issue.
All bug bounty submissions are to be sent via email to firstname.lastname@example.org
Team urge bounty hunters to:
- Give the team a reasonable amount of time to resolve any submitted vulnerabilities.
- Not to use any other channel to submit vulnerabilities other than the provided email address.
- Not damage OriginTrail and its stakeholders or disclose any data in the process of discovery.
Relevant blog posts: