Yes! Authereum's contracts have an ongoing bug bounty in order to keep them as secure as possible. We will pay out up to $8,000 as a reward for a disclosure. Over time, we expect this reward to grow with the number of assets held in Authereum contracts.
Scope of the Program
We want to hear about anything you find. The issues of greatest interest to us are:
- Risk of funds being stolen
- Risk of funds being frozen or lost
- Risk of admin abilities (upgrade, add admin key, remove admin key, etc.) being maliciously triggered or prevented
The commit hash for the contracts within scope of the audit is 903c49d35751b63768e3011216f740e4f509132a. The following is a list of contracts that are in scope for the audit:
- Every contract in the contracts/account directory of our public contracts repository.
- Every contract in the contracts/upgradeability directory of our public contracts repository.
- Every contract in the contracts/modules directory of our public contracts repository.
- Every contract in the contracts/validation directory of our public contracts repository.
Anything already covered by our audits and disclosures is not in scope.
If an issue is found for a contract that is not in scope of this bug bounty program, please report it to us in the same manner described below. We will handle these reports on a case-by-case basis.
The Authereum website, relayer, and the Authereum infrastructure in general is not part of this bug bounty program.
Overview of the System
Please read through our technical articles to get a better understanding of the product as a whole.
- A user can render their account useless or lose their funds by upgrading their account to a logic address outside of the Authereum ecosystem.
- It is expected that a relayer will not broadcast a transaction that contains any data that would be economically detrimental to themselves. This includes:
- Transactions that will revert (because of gas, bad data, improperly signed data, etc.)
- Transactions that contain a
feeTokenRatethat the relayer does not accept as a valid rate
- Transactions that contain a
feeTokenAddressthat the relayer does not accept as a valid payment token
- The Authereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, reward and all terms related to an award are at the sole and final discretion of Authereum.
- Public disclosure of a vulnerability makes it ineligible for a bounty. Instead, issues must be submitted to firstname.lastname@example.org.
- Provide the steps required to demonstrate an issue. If we cannot reproduce an issue we will not be able to reward it.
- To be eligible for rewards, we require your real name and a proof of your identity.
- Issues must be new to the team. Issues that have already been submitted by another user, an audit, or are already known to the Authereum team are not eligible for bounty rewards.
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- You can start or fork a private chain for bug hunting. Please do not run an exploit on the Ethereum main and test networks and refrain from attacking them.
- Authereum's core development team, employees, contractors and all other people paid by Authereum, directly or indirectly, are not eligible for rewards.
- Anyone who works with the codebase as a professional Authereum developer is not eligible for rewards.
- Authereum websites or Authereum infrastructure in general are not part of the bounty program.
- Anything already covered by our audits and disclosures is not in scope of the bounty program.
- Social engineering of Authereum users, employees, or any party is not in scope of the bounty program.
- Do not profit from or allow any other party to profit from a vulnerability outside of bounty program payouts from Authereum.
- Do not violate any applicable law.
- Exploits of tokens or 3rd party contracts/code that interact with the Authereum system are not in scope of the bounty program.
- Denial of Service of the Ethereum network and mining exploits are not in scope of the bounty program..
- Front-running and other Ethereum network related issues are not in scope of the bounty program.
The size of the bounty will vary depending on the severity of the issue discovered. The severity is calculated according to the OWASP risk rating model based on impact and likelihood.
Decisions on the eligibility and size of a reward are guided by the rules above, but are, in the end, determined at the sole discretion of Authereum.
Severity describes the difficulty of actively exploiting the vulnerability itself. We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements. A description of each vulnerability tier is as follows:
- Critical Severity: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control. They can steal or freeze all user funds. They can acquire admin abilities (upgrade, add admin key, remove admin key, etc.) or maliciously trigger or prevent them.
- High Severity: Attackers can steal or freeze some user's funds. An attacker may be able to acquire admin abilities (upgrade, add admin key, remove admin key, etc.) or maliciously trigger or prevent them.
- Medium Severity: An attacker may disrupt the system but is not able to access funds. They can hinder users and their experience, or render the Authereum system in a suboptimal state for a short time.
- Low Severity: An attacker may cause unexpected behavior to the system, but does not cause downtime or affect any user's funds.
Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts. The payouts listed next to each tier are maximum bounties for the tier.
In addition to severity, other variables are also considered when Authereum evaluates the eligibility and size of a bounty, including (but not limited to):
- Quality of description. Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
- Give us time to investigate anything you report before sharing it publicly or with others.
- Please don’t exploit an issue if you find one even if it is to test the exploit. There have been times where sending a transaction on the main network to test an exploit may have caused serious issues.
- Try wherever possible to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- We aim to respond to submissions as fast as possible. Feel free to email us if you have not received a response within a day or two.
- Submitting anonymously or with a pseudonym is OK, but will make you ineligible for rewards. To be eligible for rewards, we require your real name and a proof of your identity.
- Please make a good faith effort to preserve the confidentiality and integrity of any Authereum customer data.
- Do not defraud Authereum customers or Authereum itself in the process of participating in the bounty program.
- Do not report vulnerabilities with demands or ransom threats.
- If an issue is found for a contract that is not in scope of this bug bounty program, please report it to us in the same manner described above. We will handle these reports on a case-by-case basis.
Please email email@example.com to submit a bug.
Important Legal Information
The bug bounty program is an experimental and discretionary rewards program for our active Authereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Authereum. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.
We reserve the right to modify the bug bounty program or cancel the bug bounty program at any time.
Authereum pledges not to initiate legal action for security research conducted pursuant to all bounty program policies, including good faith, accidental violations. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the bounty program.
If legal action is initiated by a third party against you and you have complied with the bounty program policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Authereum cannot and does not authorize security research on other entities.
Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy. This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the bounty program policy.
We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.