Polymesh Bug Bounty Program

Event details

To get started, Read the Rules and the Developer Documentation, to learn about how to setup Polymesh and how to approach the bug bounty program.

Having some prior knowledge about capital markets and Rust language can be beneficial. If you have still have any questions, you can ask them via Discord server, or email at [email protected].

You can also submit the bug reports on Bug Bounty program on Immunefi.

Bounty Scope

The bug bounty will be applicable for the following repositories, sources and sites:

https://github.com/PolymathNetwork/Polymesh/releases/tag/v3.0.0

https://github.com/PolymathNetwork/cryptography/tree/da06e1db8b6d907dd81bd63c5f26e18c77836081/confidential-identity

Following are out of scope:

https://github.com/PolymathNetwork/Polymesh/tree/develop/pallets/contracts

https://github.com/PolymathNetwork/Polymesh/tree/develop/contracts

No “test” code - i.e. javascript integration tests or unit tests are in scope.

Rules

• Rewards will be decided on a per case basis. This bug bounty program’s terms and conditions are at the sole discretion of Polymath Network.
• Rewards will vary depending on the severity of the issue.
• Disclose the bug only on the platforms approved by us (Federacy/Immunefi). Do not disclose a bug or vulnerability anywhere else to the public. Doing such would disqualify it from being considered for a reward.
• The bugs being considered for the reward are based on first come first serve basis, duplicate bugs will not be considered.
• If you want to add more information to a provided issue, edit the original report, do not create a new submission.
• Other variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
• Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Polymath Network.
• Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
• Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission process invalid.
• It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be eligible for a reward.
• By participating in the Polymath Bug Bounty program, you agree to abide by the terms and condition of the program.

The terms may be modified or terminated at any time.

Vulnerability Classification and Rewards

Exclusions

While researching, please refrain from:

• Denial of service in general and of Public RPC nodes
• Attacks that consume a substantial amount of Kovan ETH, Kovan POLY or Testnet POLYX and which would otherwise be cost-prohibitive on mainnet
• Spamming
• Social engineering (including phishing) of Polymath staff
• Any physical attempts against Polymath property or data centres

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. 

However, please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party, that third party is not bound by the rules of this program and may determine, at their sole discretion, whether to pursue legal action. Polymath cannot and does not authorize security research on other entities.

Please see Safe Harbor Conditions in Terms and Conditions for full details.

References

• Whitepaper
• Developer Documentation
• Getting Started

Submitting a bug

Once you find a bug, please report it via Federacy.
Additionally, Immunefi is also running Bug Bounty program, you can report it there too.
Please try to be detailed, specific, and clear when you fill out this form.

Terms and Conditions

The Polymath Bug Bounty Program is governed by Terms and Conditions defined here.
By participating in the program, you agree by these Terms and Conditions.