Golem Bug Bounty Competition

Well, nowadays we might not have any real-life moths stuck in our computers (or software, to be more precise) but software bugs need to be…

Golem Bug Bounty Competition

Well, nowadays we might not have any real-life moths stuck in our computers (or software, to be more precise) but software bugs need to be zapped as well. We hope you can join us in doing so.

A. Introduction

We invite our community to join our first (and much anticipated) Bug Bounty Competition (the “Competition”). Please have a look at the content below before starting your hunt.

The complete bounty reward pool equals DAI 130,000. The individual reward for which an accepted bounty qualifies will depend upon the amount and quality of all bounties submitted and accepted into the Competition. The first bounty pool will be available until September 30th, 2020.

For each bounty application, you will need to submit a separate application via email (contact@golem.network with the subject “BUG BOUNTY REPORT”). The form is simple, quick to complete, and will assist us in determining the fairest way to distribute the rewards (see appendix 1).

By submitting a bounty application, you agree to the terms and conditions set forth herein.

B. General Rules

  • Issues that have already been submitted by another user or that are already known to the bug bounty team of Golem Factory GmbH are not eligible for rewards.
  • Public disclosure of an issue makes it ineligible for a reward. Instead, issues should be reported to contact@golem.network with the subject “BUG BOUNTY REPORT”.
  • You can start (or fork) a private chain for bug hunting. Please respect the Ethereum mainnet and testnets and refrain from attacking the networks.
  • Golem Factory GmbH development team, employees and all other people with any professional connection to Golem, are not eligible for rewards.
  • Golem Factory GmbH affiliated websites (in particular golem.network) or infrastructure in general are not part of the Competition.
  • Rewards are, by definition, voluntary and cannot be used as precedents for future rewards.
  • The Competition considers a number of variables in determining rewards. The determination of whether or not a reported issue qualifies for a reward, the severity of the issue, the size of a reward, and all other terms related to a reward are at the sole and final discretion of the bug bounty team of Golem Factory GmbH.
  • Golem Factory GmbH can cancel the Bug Bounty Competition any time.

C. Bug Categories

Golem Bug Bounty Competition is focused on a wide variety of issues related to the overall security of Golem, in particular (but not limited to) smart contracts, functioning of the application and the network protocol.

D. Reward Determination Guidelines

The determination of a reward to be paid out will vary depending on severity and other variables, as determined at the full discretion of Golem Factory GmbH, using the guidelines set forth below.

1. Size of rewards

The size of a reward depends, in part, upon the severity of an issue. The severity is calculated according to the OWASP risk rating model, which is based on impact and likelihood:

OWASP risk rating model graphic

The size of a reward is based on the below listed, non-binding guideline allocations:

  • Critical: up to 15,000 DAI, limited to bug bounty pool
  • High: up to 6,000 DAI
  • Medium: up to 2,500 DAI
  • Low: up to 750 DAI
  • Note: up to 100 DAI

Golem Factory GmbH reserves the right to change the above rate without prior notice and without the possibility of recourse. Please also note that since this guideline is non-binding, DAI allocations are in the end determined at the sole discretion of the bug bounty team of Golem Factory GmbH and all reward decisions are final.

2. Other variables

In addition to severity, other variables are also considered when the bug bounty team of Golem Factory GmbH determines the reward to be paid, including (but not limited to):

  • Quality of description: Higher rewards are paid for clear, well-written submissions. This makes it easier for us to quickly understand the scope and severity of the submitted issue.
  • Quality of reproducibility: Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward. Please see the wiki and repos: https://github.com/golemfactory
  • Quality of fix, if included: Higher rewards are paid for submissions with a clear description of how to fix the issue.

Golem Bug Bounty Competition is an experimental and discretionary reward program aimed at encouraging and rewarding improvement of Golem. By participating in the Competition, you acknowledge that Golem Factory GmbH can cancel the program at any time, and rewards are paid at the sole discretion of the bug bounty team of the Company. In addition, the Company is not able to issue rewards to individuals who are on the US, Swiss, European (or other) sanctions lists or who are citizens of sanctioned/embargoed countries (eg. North Korea, Iran, etc). The transfer of a reward thus may be made subject to a prior and successful KYC-check of the participant. All recipients of any bounty tokens are responsible for all taxes under their respective jurisdictions and situations. All rewards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.

Any disputes arising out of or in connection with the Bug Bounty Program shall be exclusively decided by the ordinary courts of the city of Zug, Switzerland and in accordance to Swiss law.

Please make sure you read our Privacy Policy.

Note: Golem reserves the right to reply to bug bounty messages in a period of more than 24 hours. We are reading everything, yet have to prioritise some reports over others.

Additionally, please note that the Bug Bounty competition is only subjected to SECURITY BUGS.