Witnet is a decentralized oracle network (DON) that connects smart contracts to the real, off-chain world. Broadly speaking, it allows any piece of software to retrieve information published at any web address at any point in time, with complete and verifiable proof of the information's integrity, without blindly trusting any third party.
The Witnet protocol achieves this by permitting a network of computers to act as a "decentralized oracle" that retrieves, attests and delivers information to smart contracts, with no single point of trust.
The Witnet Foundation will try to meet the following SLAs when any reported bug is made by a member of the security community:
||within 10 days
||Up to 6 weeks
||TBD based on severity and complexity of bug reported
We’ll do our best to ensure all communication is clear and concise throughout the process.
Rewards and Judging Process
Submit before 7th October 2020 and your vulnerability may be applicable for a reward multiplier, as specified below.
Generally speaking, any bug that poses a significant vulnerability, either to the soundness of protocol and protocol/implementation compliance to network security, to classical client security as well as security of cryptographic primitives, could be eligible for a reward.
The Witnet Foundation will take into account:
- Depth and scope of research from the Bug Hunter, and the quality of analysis
- The criticality of the bugs/vulnerabilities
- Ease at which the Witnet Foundation is able to recreate the vulnerability
||Reward Multiplier (submit before 7 October 2020)
||Up to $5000
||Up to $10000
||Up to $2000
||Up to $3000
||Up to $1000
||Up to $1300
||Up to $300
||Up to $400
What’s Eligible for Reward?
Uncovering a bug that poses a significant vulnerability to:
- the soundness of the protocol
- protocol / implementation compliance to network security
- classical client security
- the security of cryptographic primitives
- security issues with certain services that the Witnet Foundation offer
Attacking the Witnet network by:
- specifying an attack which potentially affects liveness, safety or censorship resistance on the Network
- eclipsing a particular node and running a double-spend attack
Creating a data request that:
- potentially affects the long-term or short-term fairness of distribution, liveness or security of the network
Running a Witnet<> Ethereum bridge node that:
- breaks the security assumptions offered by the interaction with the Ethereum chain and convinces a client smart contract of a fake result
What’s Not Eligible for Reward?
These bugs and attacks will NOT be eligible for any reward:
- any vulnerability or limitation already known by the Witnet Foundation, as listed on this document
- any bug found on the Witnet websites witnet.io and all the third-level websites on those domains
- any bug found on an application built by the Witnet Foundation or by the Witnet community
- any bug found on the third-party libraries that the Witnet Protocol utilizes
- bugs which have already been submitted by another user or are already known to the Witnet team or have already been publicly disclosed
- any other bug deemed irrelevant or insignificant by the Witnet Foundation
- any bug found by Witnet Foundation employees or any other person employed in any way by the Foundation, directly or indirectly, or anyone engaged by a user of the Witnet codebase to review or audit Witnet code (which has been specifically developed for that user) in exchange for remuneration
Please note: it’s entirely at the Witnet Foundation’s discretion to decide whether a bug or an attack is significant enough to be eligible for reward.
/ * These are priorities for this program. Bugs or vulnerabilities which threaten the security of funds for the node operators or data requestors will be rewarded with the most generous rewards.
By participating in this program, you will:
- not discuss any vulnerabilities (even ones that have been addressed) outside of the program without expressed consent from the Witnet Foundation.
- not violate the privacy of other users, destroy data, etc.
- not defraud or harm the Company or anyone in the Witnet Community during your research; you should make a good faith effort to not interrupt or degrade Witnet Technologies.
- not target the Company’s or any member of the Witnet Community’s physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to the Company, the Witnet Protocol, or its users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
- follow HackerOne's disclosure guidelines as laid out here
Submitting a Bug or Vulnerability
Please provide a detailed report with completely replicable steps. Send your report to firstname.lastname@example.org and include the following:
- your name
- your GitHub profile
- a description of the bug or attack
- a severity level of the bug (based on the OWASP guidelines)
- a description of the attack scenario (if any)
- a list of the components affected
- a report on how to reproduce the bug or attack
- any other details
- On the email subject, please use the following format: WITNET BUG/ATTACK[SEVERITY LEVEL] (the severity level of the issue is discretional to your understanding of the submission, and will be later reviewed by the Witnet Foundation)
- If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- If you have more than one to report, submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- In the case where multiple individuals submit the same bug, we only award the first report that was submitted.
- Each underlying root issue will be liable for only one bounty, even if it causes multiple vulnerabilities.
Submissions must be made before the 12 Jan 2021. Submissions made before October 7 2020 may be applicable for a reward multiplier, as specified above.