Decred Bug Bounty

We ask that you respect the following rules and guidelines:

• All bug reports need to have clear reproduction steps and/or proof of concept.

• All bugs must be reproducible in the latest production release or the master branch of the code.

• Bugs in old releases or feature branches are not in scope.

• We prohibit denial of service attacks or network bandwidth load testing.

• Unfortunately we are unable to pay for duplicate reports or reports of bugs which are already known.

• Any type of public disclosure of the vulnerability without prior approval from the bug bounty program will make it ineligible for payout.

• Please inform us if you have your own timeline for full disclosure (90 days minimum). Unless specified we will release the information at our own pace.

• Do not attempt to directly contact the developers in order to obtain the status of a patch/fix.

• No social engineering.

• No spamming.

• All Current/Past (for up-to 6 months) Decred contractors are barred from taking part in this bug bounty program.

• Vulnerability reports made before the start of the program will not be eligible for a bounty.

• Do not attempt to attack or test on mainnet - the main Decred network. There is a completely separate Decred testnet which is specifically created for software testing. Testing on the public testnet will prevent impact on mainnet and removes the risk of causing real financial damage. It is also possible to create your own personal simnet. Simnet runs on on your own local system, and has a low enough difficulty to mine blocks using only a CPU.

Reminders

• Almost all of Decred’s projects can be run locally and reproduction instruction are available on GitHub. We strongly recommend you to do this.

• Always check the “issues” in GitHub of a project to avoid a duplicate report.

• Decred project is not responsible for any loss of DCR due to bug testing.

Payout

We will be using the OWASP Risk Rating Methodology for assessing vulnerabilities and determining payout amount.

We will also take into consideration the impact on the Decred ecosystem. An RCE in dcrweb (low impact) is not the same as an RCE in dcrd or Decrediton (higher impact).

The following are also factors in the payout:

• Quality of the initial writeup.

• Quality of vulnerability reproduction steps and/or proof of concept.

• If you provide a code fix for the vulnerability then you will also be eligible for a “code fix” bonus on the condition that our existing developers accept it as valid.

All payouts will be in Decred only. Payouts are done in a single batch once a month. You will be required to create and operate a Decred wallet and CMS account. The DCR to USD ratio is based on the average USD rate of the previous month. The payout amount is decided by a core “bug bounty” group. Once decided, there will be no changes to the payout amount unless the vulnerability impact changes.

For vulnerabilities that require a patch rollout and pose a risk to the network participants , we might choose to only release 60% of the payout amount first and hold the 40% until a patch has been released and distributed.

The maximum approved budget for the payouts is capped at 100,000 USD. Please be aware of this when you are submitting multiple critical vulnerabilities. If the limit is reached then a new proposal will have to be submitted and get stakeholder approval before you get paid fully.

The payout amount will only be decided after the patch for the vulnerability has been merged. The submitter will then be contacted and given instructions on how to claim the bounty. The bounty hunter will be given one month to claim it after which the bounty will be considered forfeit.

Indicative payout amounts

Note: up to 500 USD

Low: up to 1,500 USD

Medium: up to 5,000 USD

High: up to 15,000 USD

Critical: up to 30,000 USD

Projects in scope :

Special Notes:

dcrlnd scope has some limitations, please read the linked github page before testing.

atomicswap only the Bitcoin, Decred and Litecoin versions of the tools are in scope.

The following are not in scope:

• Chat and communication platforms including Slack, RocketChat, Matrix, Discord and the Decred forum
• Email servers
• Testing or staging sites
• Projects still under development
• Unsupported projects including:
  • dcrios
  • dcrandroid
• Deprecated projects including:
  • insight and insight-api
  • bitcore-wallet-service
  • Paymetheus
  • Copay
  • dcr-netstats
  • dcrstakepool

The following vulnerabilities are generally out of scope:

• DMARC, DKIM and SPF related issues.
• The primary objective of this bounty program is to find vulnerabilities in software developed by Decred. Hence infrastructure related vulnerabilities are out of scope unless they lead to critical exploit (RCE or similar).
• Missing security best practices that do not directly lead to a vulnerability.
• Insecure settings in non-sensitive cookies.
• Vulnerabilities (including XSS) that affect only legacy browser/plugins.
• Non-technical attacks such as social engineering, phishing, or physical attacks against our members, users, or infrastructure. This includes attacks such as Self-XSS.
• Missing HTTP headers, unless a vulnerability can be demonstrated.
• Bugs requiring exceedingly unlikely user interaction.
• Outdated software/library versions.
• Clickjacking on pages with no sensitive actions.

Please follow a standard format when submitting vulnerabilities

Title:

Affected website or repository:

Vulnerability Type:

Details:

Impact of Vulnerability:

Reproduction or POC details:

Fix:

Email your bug report to bugbounty{[@]}decred.org

Always use the below PGP key to encrypt the email, and be sure to include your own PGP key so we can securely respond. Failure to do so will reduce payout amount.

Any supporting evidence (screenshots, videos, etc) should be attached to the email itself. Media files should be encrypted inside a .7z, .zip or .tar.gz file with a secure password that is included in the PGP encrypted email body. Hosting on external services may lead to disqualification.

FingerPrint: D507 9E93 D0AF F567 DEF2 F6AC 6457 2029 21F7 0A78

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFw+ARsBEADIOjL7OYHqhmEafUMFUIfc+9fOdu8WRXswDkyEtSInsuJcsNCd
p6Ua8rKzA+yiaon27gB3LWnBHlL/P0FbeWhInPVcgPce1fQ3c4vKi3pT5Q6ooMeh
b98n8EoccvuJCiYgpAmUG8m/oR7d3JpoF2u2pCQGHqduAOMZSKRJ4E8FW7XwOuH6
YO/4n89FLX8kSa7aK+ptrn7lcj35hOwnPLW+MLlPVWOVqjfRc3U/mSM4Q5IA2l4S
3vk4l6zoFj4676mW7wPAolAfR4IbUlP1WqgYhepz+7mTkDfh784t1xSXri8aVLr5
vbP/QRnv17wlbtEjjQAujI36XiREGJ449vS37bOrkiRxyQWzedcVkrPZWOIZpTi4
eEZahqir6+dpeLmQVWlKRrQdEIBG+v2eGDzRSWcD6vKwQJCcMqm5mZjOi93C0NSb
b2Fg2bK5cLgM1mboX2C1i9e0aQGCF73Xyb6f4gxXXhgWzJZlSgvIFql5G4QxGB2T
kohDcG+p2IoT27IF03n9SmCQnq0G/itTeWO9ukY5G3hUUqiH/heGnmB0JjmCQvqf
tL7VKEb/LZm9Mh3Pih09RURGcMzwK8dPcM+86N1uUg+0nzYDgEmNsMfr7RKaJAc1
VRetSFreGr//nQiguEBrZbDwiNFTbF9RpqRedm6RDy8U+JVedgF7N1Z5swARAQAB
tChEZWNyZWQgQnVnIEJvdW50eSA8YnVnYm91bnR5QGRlY3JlZC5vcmc+iQI+BBMB
AgAoBQJcPgEbAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBk
VyApIfcKeIvgD/93O5J5kI1U5gMwmOCJEa5BHNxdu8Kb8i0W51o6qHWYUbCvGHHp
lI96lmCOLUfWckk9GVmNZDPSph42b7NNlrZldfz1aTK7dSWArsYbo8Q61sdxfGxj
hsF67JMLyUNBIrmJVRbrwB1myL34wMEpMZ7P7tNflZ1J7H4irjDBIMF2clZB36Vq
9aDSMfO2wxeXbwn7gKl7+tZ6/E6FrjNJdmudWEr/Kc1nk62zf9TKucyO65MCtfut
7IJjPvxdXSZHQdpRKU4HFUDIuSqNtMowAKWh7T0vApDCarlJvHojqw9B5iIUIX8z
sgNaZTAnjDyX4uvmn62BRHmWxBhNQOJokeDxV6TOSUs1T/AMamAS4W8iXqlPMVUb
yK1zjeFdxGtb78NRlKlkYzGJ+hNneKkkUtGkbkKdnhgQH9scQYdBV6Clvbqk7Fxv
nQyDVVhrAl2b46mdXdz+AsyFKNLDxxuJupGMR1OnFQLYM/QtdW+tNe1qnnrK41Qn
TiGGEH+KjQaB3G7GgtytUzJP8L4kIAcgMzIJ4gyJBjBKtxGffGZeRiq8fjJHjebq
CXlLAe3Mk0iUdFzhoMSvFp0lHQfxVR8FG+e0Di1n/KXXHx1RqpL78IEEfk7FoVi6
Xeyp4Tb1TeH8Ee6xkYxGD8Ee3X/O4OF32bR9OkLTod3Cq41lbQN4CUUYV7kCDQRc
PgEbARAAxRGa5hGt3PtV57iob6OvpNhjckX6Yq9tDErDs78woAck/U69xM3hBmMg
VCcNRECJ3iXlGyi6xq6mhliAPRmfI/iGFPW1o1m9u8tvvT3xwROZehpkog4S0MzM
NJMOG0juKE8iEezAMiw2ocQ+Km5l8El4DPhte8dzpkH6DlyyNJUEVQhptcrtWno5
dNDZNcHm+VtM6DBbUwzB+pQ6t/woZMK1PLNKb9xZsfQ1OZttsmsoReybBMho8dYq
7pkr9RL9p9iRNT9qSTKVGssw74IwL8FYPKAccBcyycftJEA5qM5fzzsrsudcme0H
50//TdNiHbMTzISQD7qz+DpVaVxZWPbTpFa7wpo6M/sDlZ1wgdVCQJVhYpspKqe+
mMGP9N0RCXboDcYKAqYxgNX9RCWoUcAwON2dWSpWSiUA5x8/tWSMHiNUwVKmoRd7
IinbZrW1ENWb1ObVxfIt7CTzzm835BAaBhdGNni42a/7JvfCeCpBjXbYAFeT2gbS
qr4P2nfgONPalKTmbvrvqWGGJ5yDaQ9LjtIBsPBZJN3oz9OMJ5rwLXrXTCRjn4Qw
cMrdTTCH8n1lBh73iCHuO85fxRRj3EtKs4n8ozXrYfAdk+cpAYOLBsP9fT7IMdNO
iqjW7PIEHiJjCVJIIuloSQG7roDUuf+v4OcFf79fCncdPlLmnU0AEQEAAYkCJQQY
AQIADwUCXD4BGwIbDAUJCWYBgAAKCRBkVyApIfcKeIfaEACiZGGojLuJ/Qx99bux
3agWrss3+9P25J3yGb1gGYUhQce6Xg+DjI3O/j0J6PcQsaoCzxvZhD/BwJinxzfL
0BKT8ekPXgjXgzmx9V+wXTjknLpjFZnMPwhwUMzLMwOYeVuEl5ZmEgxzc6nW/KQI
sRnTvpc1DoJIeGDgXEOQKpwKWfRQhO8NBz9jM132rQCEQJv1eGRWQWe74LBtE+VF
Zo+6J69AsnSubP76HnHbnAl/3qtOVn0SluCjGm5Bx9hp4s+Ugsv9/sZ8lutGWOgY
aOxx+h9729xv9VDq5VekNcvhBJNuW9jLw+ueuhGRvFXaOuefys4nsMmjKnA76RrC
Aso/brtjUj/Z1St63uqi89TNq2ulnVRPIkLqqMbNejxqFJTeedp1cfxh+StCqG/1
yKnkeZIDKucPzy34t8Fi+wZR4fdlwUyCKDYvkSykGAM2Yo1Tfwv7opa4AKmKZu3V
oYXaXT0o/3cW4VwLRF5cqkhSXh2OQcFQUcOAUp18LziRo/gyLB9ocoH0x49kMDUx
KKXyCQYCwgv0UxWxezIeBimvLTsVW23VagWBbEUchHnsM4RU2XDWqynvalGZzkGH
JxTNQDpJOx6n6Fa9X0YTzEFBqihhrXeprdeEaUQff95iCPw1ykUt2tqJ7boOEWJO
62zcU+ErhAu2l/JJNs1LMq+Bf7kCDQRcPgGFARAAr/R7HyZyvgs90ZCTgD4rS1yj
+ExqCNxTbmJoZksEs5ShNrLVwHLQWTd4S2dA2vPifLzTV8Fd5kn509V7/oyCKOC6
GfwvBbEctPAJ4JskNpE++tYDl/voB9FeoPNKdSK3cntCw12NBlAXCN1FKDnkzrdI
DPlmzkKWjvncZy8GBwkxtMSHkiCyBG/WmjYM7e/AVgRnnAWVMOeGaeU59/kmXPzy
CmtdaV0ZAXo/OsZ6Fz+1IiFfkOpyEJ1S1U8+46dx4Y21siVXrurhrPpF98F2wJ0m
f/va6ayq+LiFLphezVq41DuX3XTfyBhs5PqYcE9nya73aiPHeCNplAz+NuP5axA1
JOD0nXDBhAmWny5Jx5qcVQS3AtKv/BwZHizRSYFZog3gyD3Nc0X44DomlTNE3lOP
eC/85GRYCDWt6IX3yXlA3t8Zk0Gk2KHOiNI+t7Cg/CWq0Gj2aelq+MbyK2G+L4aK
7MpQiAXs/WHeS48IgyzdOBua0rjAOaNCpNHw8ZClafgIdxMnBVmq9mH4cXZBzAZk
0OOkYKMaiu7SiJV1XrdJPzUPsbRMbyoNnFdaOleJj64wq8ClFQhLoPFH9RP78Pwe
TkUC7SXwUOclnSR84uk/wzURcwf+QUEnpP02NptKQ4jLKgakSmHWcacCU0jPBcA1
81BOc5cnTIPBajXvS7cAEQEAAYkERAQYAQIADwUCXD4BhQIbAgUJCWYBgAIpCRBk
VyApIfcKeMFdIAQZAQIABgUCXD4BhQAKCRAtkBirFF6+rpauD/9qVWkw5XEpyllF
ihTysTTUOtTwYBOuHne1L2ZUFNeyYz9J/QH941mYQNOASe3yEC98hMR75FHW9MM/
0gp67VMPIWpg4lcIpFA8xFKXsoy49OFy/SKzfV5aW1j/QE7GF4ynRHffPaMEH9uP
y94M0GM+vwlOiOIo3dMHygltt3v52xhnOJrs84qjyI7QwBMXVR6PEu7wTZVXY8Ze
nZF2DWc02fR7+Aizcuxh8mFxb0fOIPd2Z7blZOxsMDFbPDvYPSR3LkiMxjpixiEk
qpil9rl5k/ZBfKxYGkuVRuAZANjoxRPB2J6Ua7fAmAPU7gkWhbcTI4y/jvdjRX98
JRSFvmFE15L/GrGiHX3fuYpsNUjmzJFIpXfM0D2UJri/56uGzR5eNiedKzU+7TXH
12ZiYafAJVi0x5zQwon/GiVuPuSrgwDnB2i0vfF0ywBhMqAcYkcKrhXsEgNvNkRp
HX+7bzu1F3HfTm3htaWKcibjqEI+05WLuT6kgIHdMJ55IzT4iNvxX+74E9/Jhn52
Y4asBeSEUOBFRCHLL0dBkhI5puPtl4Bj1b9HDmW8ovrKVoL3yH8tpcmwM0yRtIQK
h50W1df6wh5dPuAJkSbmMVgpi0kIORYq70oE5DEx1fgpyauaeqwlw6wsKi91sAJl
Sy3b7DusgDEpBGY2a6kUVNgJTuCfD2QHD/9vZDD2KA6h6pSgtQ2D5ugk72vAZQdl
IqcLXY/wPmvkjvd2C2M8SeitX8MOb87hmvttxmwmyAwIHdhZfSI8/qvd71DtIYOF
tAeM3pODsQNxZLdnzla/Tvr2tw1/pln6VsN/UpbE7xFbQ3Hsc/l2IPaaBNbLoHK4
MVs3zNCm4Zu8xCmL4R4cUI1wWPiEnXetStA5ukqfe13ZUTBc+NxvcAiy5FzfjgSi
/yYGnnd1dpo5/z9gbR30fChK0TpeXhI25mGWmWH9O9foLZtAUI8P54NkEIg7Tg+6
dEpYLzKFAfRaBMrYWmTLHTdkqWN1Qm0+1c0m6b7rQQnVIrnvmZ14vvn++fxamGBS
BwrvjP+kI8FXfKGMFnPjcDzUl0IwajsiIWo4RmUVMxiEyLqzDbjcWqbCGXMshXP+
/uoe1WIqPYdidDgR1SGe8uv8By3boNIDr8OwR+Pve3dBGctxMMEoL9T+xQckJ5du
v8qxU45QG6F1shdW/jW4naz8MS7CTyrNEstYhqwV8utClsJjuv/RTCxwr+KcKreo
azGiaVhcoDDradOeJ4TirW7R+0pTunlLb4hxpj8aGa8LC6ut2I6QrR12QByrqJmj
qg5eltq7pMaPJqOdCZpsNcqGz08f0TR/t6cQK8eny3Y7VSBtMRxT0MmCC3I6g76f
bWDBwFGxHlME1g==
=32FW


-----END PGP PUBLIC KEY BLOCK-----