Witnet & Gitcoin Incentive Program: Bug Bounty - DropsEarn
Witnet & Gitcoin Incentive Program: Bug Bounty

Witnet & Gitcoin Incentive Program: Bug Bounty

    The Witnet community appreciates the assistance of the Gitcoin community in exposing and fixing vulnerabilities that will ensure the Witnet protocol is robust leading up to (and in the months following) the launch of Mainnet in October 2020. The Bounty Program was announced in July 2020 as part of the Witnet Testnet Incentive Program.

    Reward pool
    $30,000
    Expected profit
    $100 - 10,000
    Max participants
    DropsEarn score
    Neutral

  • Activity Type: Bug bounty Hackathon
  • Date: 14 Sep 2020 12:00(UTC+3) - 12 Jan 2021 12:00(UTC+3)
  • Registration: Open
  • Event status: You can participate (Event started, Registration open)
  • Links: Official Event Page
Go to event page

Program Details

About Witnet

Witnet is a decentralized oracle network (DON) that connects smart contracts to the real, off-chain world. Broadly speaking, it allows any piece of software to retrieve information published at any web address at any point in time, with complete and verifiable proof of the information's integrity, without blindly trusting any third party.

The Witnet protocol achieves this by permitting a network of computers to act as a "decentralized oracle" that retrieves, attests and delivers information to smart contracts, with no single point of trust.

Response Target

The Witnet Foundation will try to meet the following SLAs when any reported bug is made by a member of the security community:
 

Stage Response Time
Initial Response                 within 10 days
Report 20 days
Bounty Distribution Up to 6 weeks
Resolution TBD based on severity and complexity of bug reported


We’ll do our best to ensure all communication is clear and concise throughout the process.


Rewards and Judging Process

Submit before 7th October 2020 and your vulnerability may be applicable for a reward multiplier, as specified below.

Generally speaking, any bug that poses a significant vulnerability, either to the soundness of protocol and protocol/implementation compliance to network security, to classical client security as well as security of cryptographic primitives, could be eligible for a reward.


The Witnet Foundation will take into account:

  • Depth and scope of research from the Bug Hunter, and the quality of analysis
  • The criticality of the bugs/vulnerabilities
  • Ease at which the Witnet Foundation is able to recreate the vulnerability
     
Category DAI Reward Multiplier (submit before 7 October 2020)
Critical             Up to $5000           Up to $10000
High Up to $2000 Up to $3000
Medium Up to $1000 Up to $1300
Low Up to $300 Up to $400


What’s Eligible for Reward?

Uncovering a bug that poses a significant vulnerability to:

  • the soundness of the protocol
  • protocol / implementation compliance to network security
  • classical client security
  • the security of cryptographic primitives
  • security issues with certain services that the Witnet Foundation offer
     

Attacking the Witnet network by:

  • specifying an attack which potentially affects liveness, safety or censorship resistance on the Network
  • eclipsing a particular node and running a double-spend attack
     

Creating a data request that:

  • potentially affects the long-term or short-term fairness of distribution, liveness or security of the network
     

Running a Witnet<> Ethereum bridge node that:

  • breaks the security assumptions offered by the interaction with the Ethereum chain and convinces a client smart contract of a fake result

What’s Not Eligible for Reward?

These bugs and attacks will NOT be eligible for any reward:

  • any vulnerability or limitation already known by the Witnet Foundation, as listed on this document
  • any bug found on the Witnet websites witnet.io and all the third-level websites on those domains
  • any bug found on an application built by the Witnet Foundation or by the Witnet community
  • any bug found on the third-party libraries that the Witnet Protocol utilizes
  • bugs which have already been submitted by another user or are already known to the Witnet team or have already been publicly disclosed
  • any other bug deemed irrelevant or insignificant by the Witnet Foundation
  • any bug found by Witnet Foundation employees or any other person employed in any way by the Foundation, directly or indirectly, or anyone engaged by a user of the Witnet codebase to review or audit Witnet code (which has been specifically developed for that user) in exchange for remuneration
     

Please note: it’s entirely at the Witnet Foundation’s discretion to decide whether a bug or an attack is significant enough to be eligible for reward.


Resources

General info:

Community info:

Technical info:


/ * These are priorities for this program. Bugs or vulnerabilities which threaten the security of funds for the node operators or data requestors will be rewarded with the most generous rewards.


Disclosure Policy

By participating in this program, you will:

  • not discuss any vulnerabilities (even ones that have been addressed) outside of the program without expressed consent from the Witnet Foundation.
  • not violate the privacy of other users, destroy data, etc.
  • not defraud or harm the Company or anyone in the Witnet Community during your research; you should make a good faith effort to not interrupt or degrade Witnet Technologies.
  • not target the Company’s or any member of the Witnet Community’s physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
  • investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to the Company, the Witnet Protocol, or its users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
  • follow HackerOne's disclosure guidelines as laid out here

Submitting a Bug or Vulnerability

Please provide a detailed report with completely replicable steps. Send your report to testnet@witnet.foundation and include the following:

  • your name
  • your GitHub profile
  • a description of the bug or attack
  • a severity level of the bug (based on the OWASP guidelines)
  • a description of the attack scenario (if any)
  • a list of the components affected
  • a report on how to reproduce the bug or attack
  • any other details
     

Furthermore:

  • On the email subject, please use the following format: WITNET BUG/ATTACK[SEVERITY LEVEL] (the severity level of the issue is discretional to your understanding of the submission, and will be later reviewed by the Witnet Foundation)
  • If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • If you have more than one to report, submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • In the case where multiple individuals submit the same bug, we only award the first report that was submitted.
  • Each underlying root issue will be liable for only one bounty, even if it causes multiple vulnerabilities.
     

Submissions must be made before the 12 Jan 2021. Submissions made before October 7 2020 may be applicable for a reward multiplier, as specified above.