Bug Bounty Program

ChainPort offers financial rewards to any security professional for identifying and reporting valid vulnerabilities and exploits on our app and domains.

One of the foundations of decentralized security is community-driven auditing. We encourage you to identify bugs, penetration vectors, front-end vulnerabilities, financial attack vectors, and other issues that may risk or destabilize the network and its operations.

How it Works

To report a potential bug, please fill out the form below with detailed and comprehensive information.

Our team reviews and prioritizes reported bugs and implements fixes accordingly. Please allow us time to correct an issue before making it public.

Rewards

Rewards are proportional to the severity of the reported issue. Upon receipt of the completed form, our development team assigns a severity score to the problem and prioritizes it accordingly.

The assessment of the reported bug will follow the OWASP risk rating model based on the impact and likelihood of the reported issue:

The following factors determine the reward amount per report:

  1. Demonstration of how the issue may be exploited to maximum effect.
  2. The severity of the issue.
  3. Issue complexity.
  4. Reproducibility of the issue.
  5. Existence of a Pull request with a valid fix of the issue.

Below is a list of the approximate maximum amounts distributed, listed by order of bug severity:

  • Low

    up to 100 USD

  • Medium

    up to 500 USD

  • High

    up to 2,000 USD

  • Critical

    up to 5,000 USD

Stable tokens or an equivalent amount in PORTX tokens will be rewarded for valid bug reports. We might even pay higher amounts if we find the bug supercritical.

We encourage you to uncover issues with the following characteristics:

Contracts

Logic flaws / security issues / financial breaches.

Contracts

Possible exploits and vulnerabilities - both architecture and implementation.

Contracts

Upgradability and versions of schema attack vectors.

ChainPort Protocol

Bugs, vulnerabilities, exploits, security breaches, cryptography errors

Front-end

Possible exploit by inserting malicious code, XSS attacks, clickjacking attacks any vulnerabilities during Web3 interactions

API

Exploits, data breaches, leakages, permissions breaches, wrong behavior.

Please report issues for the related mainnet environment.

As future specs are continuously developed and deployed, we will review issues in the context of the current expected behavior on the mainnet. This excludes issues already undergoing fixes to be launched in the next version.

*We reserve the right to enlarge this pool or modify the reward amount without prior notice.

Eligibility

The first reporter who brings attention to a valid issue will be rewarded. ChainPort’s team might also choose to reward the first few people signaling the same problem within 7-14 days of the initial report.

The following will not meet the eligibility threshold for the bug bounty:

  1. Issues on a test environment that have just been deployed and are work-in-progress by the ChainPort devs
  2. Any issues on 3rd party sites/apps unless they are directly linked to an exploit or bug specific to ChainPort
  3. Issues depending on or arising from physical attacks
  4. Game-theoretic issues
  5. Known Issues
  6. Issues affecting outdated or unpatched browsers
  7. Issues that have not been thoroughly investigated and comprehensively reported
  8. Issues that cannot be reproduced

We ask and encourage the community to report any bugs, even if it's not eligible for a reward.
A better ChainPort is a win for all of us 😃

Scope for

App:
app.chainport.io

Website:
ChainPort.io


Including sub-domains and related mainnet environment.

Process

For security reasons, we might fix the bug even before contacting the reporter.