IOVlabs Bounty Program

Security experts, software developers and hackers who dedicate
time and effort to improve the rsk platform are rewarded.
Determinations of eligibility, score and all terms related to an
award are at the sole and absolute discretion
of IOVlabs.

Submit a vulnerability and get your bounty

Rules and rewards

Submit your findings
and earn rewards!

The submitter must be the person who has discovered the vulnerability. Vulnerability submission cannot be delegated.

We accept anonymous submissions, but in that case the bounty reward will be donated to charity.

The submitter grants IOVlabs the right to use parts or all the submitted report for communicating the vulnerability to the public.

IOVlabs may cite the submitter name and points earned in rsk blog posts and online bounty rankings.

If you prefer not to be identified in IOVlabs communications by your real name you must clarify this and provide a pseudonym in your submission.

Issues that have already been submitted by another submitter or are already known to the IOVlabs team are not eligible for bounty rewards.

Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) and then reports to IOVlabs with considerable delay, then IOVlabs may reduce or cancel the bounty.

You can start or fork a private chain for bug hunting.
Please refrain from attacking the rsk mainchain and test networks. Also please refrain from attacking the ETH or ETC main-chains and test networks.
An attack will make the vulnerability ineligible for a bounty.

IOVlabs development team, employees and all other people paid by IOVlabs , directly or indirectly, are not eligible for rewards.

A person who submitted a change in the rsk codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.

IOVlabs websites, infrastructure and assets are NOT part of the IOVlabs bounty program.

IOVlabs bounty program considers a number of variables in determining rewards.

Determinations of eligibility, score and all terms related to an award are at the sole and absolute discretion of IOVlabs.

Rewards severity and payments

For example the value of rewards
paid out will vary depending on severity.

The severity is calculated according
to the OWASP risk rating model
based on Impact and Likelihood.

A bug triggered by a single low-cost transaction that forks the rsk blockchain into some nodes accepting a block containing the transaction and some nodes rejecting that block, will be generally considered High.

This is because it is highly likely to be used for an attack but the impact is medium, because a double-spend attack must also be perpetrated to steal assets.

A remote attack to a specific node that steals its private keys with some very low probability will be generally considered High.

This is because the impact is high but the likelihood is medium, and many nodes must be probed until the attacker finds the right victim.

An attack that spams the blockchain or the state with a cost much lower than the expected, will be generally considered Medium.

A remote attack that reveals some private information of a node that does not lead to the loss of funds will be generally considered Low.

The IOVlabs reward program
considers a series of variables to
determine the rewards.

Eligibility determinations, scoring and all terms related
to a prize are at the sole and absolute discretion of
IOVlabs.

Subscribe to our Newsletter