Security experts, software developers and
hackers who dedicate time and effort to
improve the RSK platform are rewarded.
Determinations of eligibility, score and all
terms related to an award are at the sole
and absolute discretion of IOVlabs.
Submit your findings and earn rewards!
The submitter must be the person who has discovered the vulnerability. Vulnerability submission cannot be delegated.
We accept anonymous submissions, but in that case the bounty reward will be donated to charity.
IOVlabs may cite the submitter name and points earned in RSK blog posts and online bounty rankings.
If you prefer not to be identified in IOVlabs communications by your real name you must clarify this and provide a pseudonym in your submission.
Issues that have already been submitted by another submitter or are already known to the IOVlabs team are not eligible for bounty rewards.
Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) and then reports to IOVlabs with considerable delay, then IOVlabs may reduce or cancel the bounty.
You can start or fork a private chain for bug hunting. Please refrain from attacking the rsk mainchain and test networks. Also please refrain from attacking the ETH or ETC main-chains and test networks. An attack will make the vulnerability ineligible for a bounty.
Also please refrain from attacking the ETH or ETC main-chains and test networks. An attack will make the vulnerability ineligible for a bounty.
IOVlabs development team, employees and all other people paid by IOVlabs , directly or indirectly, are not eligible for rewards.
A person who submitted a change in the rsk codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.
IOVlabs websites, infrastructure and assets are NOT part of the IOVlabs bounty program.
For example the value of rewards paid out will vary depending on severity.
The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood.
A bug triggered by a single low-cost transaction that forks the RSK blockchain into some nodes accepting a block containing the transaction and some nodes rejecting that block, will be generally considered High.
This is because it is highly likely to be used for an attack but the impact is medium, because a double-spend attack must also be perpetrated to steal assets.
A remote attack to a specific node that steals its private keys with some very low probability will be generally considered High.
This is because the impact is high but the likelihood is medium, and many nodes must be probed until the attacker finds the right victim.
An attack that spams the blockchain or the state with a cost much lower than the expected, will be generally considered Medium.
A remote attack that reveals some private information of a node that does not lead to the loss of funds will be generally considered Low.