Bug Bounty Program

pavlov.ig · July 19, 2018, 1:36pm

Hello everyone!

In order to provide the best quality of the product to the community, we are starting WAVES Bug Bounty Program.

The scope of the Program: versions of the Node which currently deployed to official nodes on MainNet. We are interested in security issues, issues which can break the blockchain consensus, issues leading to inoperability of the Node.

RULES & REWARDS

Please have a look at the bullets below before starting your hunt!

Issues that have already been submitted by another user or are already known to the WAVES team are not eligible for bounty rewards.
Public disclosure of vulnerability makes it ineligible for a bounty.
WAVES core development team, employees are not eligible for rewards.
WAVES Bug Bounty Program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the WAVES Bug Bounty Panel.

The value of rewards paid out will vary depending on severity.

WAVES Bug Bounty Panel decides on the severity of the bug based (but not limited) on:

the complexity of the conditions for the occurrence (the number of conditions that must coincide)
how typical these conditions are for the most use cases
how often functions in which the bug is found are used
reproduction stability
ability to break the consensus rules
could it be used for unfair money getting
could it be used for DoS
could it lead to the fork
does it lead to Node inoperability

The minimum payout is 1 WAVES and the maximum is 1000 WAVES for the most bugs.
The highly critical bugs can be valued by the WAVES Bug Bounty Panel above the maximum.

Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the WAVES Bug Bounty Panel.

Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with paid WAVES accumulating over the course of the Program.

In addition to severity, other variables are also considered when the WAVES Bug Bounty Panel decides the reward, including (but not limited to):

quality of description. Higher rewards are paid for clear, well-written submissions.
quality of reproducibility. Please include detailed instructions.
quality of fix, if included. Higher rewards are paid for submissions with a clear description of how to fix the issue.

How to report a bug

Just send your bug report to [email protected].

Important Legal Information

The WAVES Bug Bounty Program is an experimental and discretionary rewards program for our active WAVES community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the Program at any time, and awards are at the sole discretion of WAVES Bug Bounty Panel. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.

Emir999 · July 21, 2018, 7:28am

Hello, I found a bug, a token that was not released was released, will I be rewarded for finding this bug?

pavlov.ig · July 22, 2018, 6:23am

Hi, we need more details.
Please send it according to the Program rules above.

Tradisys.com · July 24, 2018, 5:16pm

Nice. Looks like you are interested in the platform security and it’s great!

But what if someone will find a bug that can be sold to someone else for much bigger price then 1000 Waves or $3000?

Grootlily · July 24, 2018, 10:29pm

It turned out this was a very good question.

TenaciousC · July 25, 2018, 9:05am

Good initiative but the incentive is far to low for this!
Come on Waves team, you’ve got over 20k BTC available in your warchest but are to scroodgy to sepnd even 1 BTC for people who find essential bugs?

pavlov.ig · July 25, 2018, 9:50am

Hi @Tradisys.com @Grootlily
I’ve updated the Program

Grootlily · July 25, 2018, 10:32am

Thank you @pavlov.ig!
However, it seems to me that you didn’t get the point at all… Adding “for the most bugs” does not solve the issue. The problem is that the community does not agree with the amount of the reward in general. 1000 WAVES is an extremely tiny reward in comparison with the consequences of the damage that can be caused by not reporting the bug. It is what people saying here. Also, I’ve seen the following comment from one of the Users in your Telegram channel (not sure why it is “2k waves” here… but the point is clear):

“ıf ı were a programmer, and ıf ı fınd a bug or somethıng that can be used to hack smart contrat ı wouldnt tell ıt for 2k waves, even you dont gıve 2k, you make contest for ıt”

This again proves my statement above.

Grootlily · July 25, 2018, 12:00pm

And it is good to know that “The highly critical bugs can be valued by the WAVES Bug Bounty Panel above the maximum.” Hopefully, the bonus would be reasonable.
Thanks!

Tradisys.com · July 25, 2018, 1:01pm

Thank you, Igor! Pretty good addition.

Igor55 · August 20, 2018, 12:20pm

Привет! Нашел один баг при массовом отправлении токенов происходит удаление адресов из поля ввода, если ты делаешь это вручную! Видео процесса здесь https://vk.com/video?z=video364169331_456239031%2Fpl_cat_updates

Igor55 · August 20, 2018, 12:24pm

Hello! I found one bug when sending bulk tokens, addresses are deleted from the input field, if you do it manually! Video process here https://vk.com/video?z=video364169331_456239031%2Fpl_cat_updates

Valentin · August 20, 2018, 12:54pm

Hello, Igor!
This is not a bug, but the normal behavior of the application. Once a second, the test is performed and the line is deleted if it does not match the correct format. The correct format in this case is [“string_address”, “number”]. We understand that in your case this is not very convenient, but this functionality, first of all, is intended for sending to the addressees whose list is uploaded from the CSV file. Alternatively, you can edit your TXT file, add amounts in front of each recipient and paste it through the clipboard.

Igor55 · August 24, 2018, 10:04am

Привет! Нашел несколько мелких недочетов DEX. Не работает функция свернуть биржевой стакан и количество монет отображается как Кол-Во. А хотелось бы что бы было Кол-во.
Hello! Found some minor DEX flaws. The function does not work to minimize the exchange cup and the number of coins is displayed as Кол-Во. And I would like that would be the Кол-во. Video here https://vk.com/video?z=video364169331_456239032%2Fpl_cat_updates

Valentin · September 4, 2018, 8:31pm

Если вы про эту кнопку http://joxi.ru/5mdqj9JHkK4Np2, то это не “свернуть”, а “отцентровать” . Попробуйте проскроллить ордера вверх или низ и нажать, чтобы понять что она делает.
Это тоже знаем, спасибо. В планах есть переработать стили.

binarycode · September 20, 2018, 11:06am

looking further for this one

Emir999 · September 27, 2018, 4:59pm

The reward for finding the bug is not assessed, as the support for the award said, why then promise?

pavlov.ig · September 28, 2018, 6:52am

The reward for a bug is up to 2000 WAVES depending on bug severity