Skip to content
Contact

Bounty Program

Submit a vulnerability

Security experts, software developers, and hackers who dedicate time and effort to improve the Rootstock blockchaincan be rewarded through the bounty program.

Rules & rewards

  • The submitter must be the person who has discovered the vulnerability. Vulnerability submission cannot be delegated. We accept anonymous submissions, but in that case the bounty reward will be donated to charity.
  • RootstockLabs may cite the submitter name and points earned in Rootstock blog posts and online bounty rankings.
  • If you prefer not to be identified in RootstockLabs communications by your real name you must clarify this and provide a pseudonym in your submission.
  • Issues that have already been submitted by another submitter or are already known to the RootstockLabs team are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) and then reports to RootstockLabs with considerable delay, then IOVlabs may reduce or cancel the bounty
  • You can start or fork a private chain for bug hunting. Please refrain from attacking the Rootstock mainchain and test networks. Also please refrain from attacking the ETH or ETC main-chains and test networks. An attack will make the vulnerability ineligible for a bounty.
  • RootstockLabs development team, employees and all other people paid by RootstockLabs, directly or indirectly, are not eligible for rewards.
  • A person who submitted a change in the Rootstock codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.
  • RootstockLabs websites, infrastructure and assets are NOT part of the RootstockLabs bounty program.

**Determinations of eligibility, score, and all terms related to an award are at the sole discretion of RootstockLabs.**

Severity-based rewards system

  • The value of rewards paid out will vary depending on the severity of the vulnerability submitted. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood.
  • A bug triggered by a single low-cost transaction that forks the Rootstock blockchain into some nodes accepting a block containing the transaction and some nodes rejecting that block, will be generally considered High.This is because it is highly likely to be used for an attack but the impact is medium, because a double-spend attack must also be perpetrated to steal assets. 
  • You can start or fork a private chain for bug hunting. Please refrain from attacking the Rootstock mainchain and test networks. Also please refrain from attacking the ETH or ETC main-chains and test networks. An attack will make the vulnerability ineligible for a bounty.
  • RootstockLabs development team, employees and all other people paid by RootstockLabs, directly or indirectly, are not eligible for rewards.
  • A person who submitted a change in the Rootstock codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.
  • RootstockLabs websites, infrastructure and assets are NOT part of the RootstockLabs bounty program.

The RootstockLabs reward program considers a series of variables to determine the rewards

Eligibility determinations, scoring and all terms related to a prize are at the sole and absolute discretion of RootstockLabs

Rootstock Github Repository