You have probably long heard about those bug bounty programs awarding white-hat programmers quite big rewards and even wondered what’s all this about. Many websites and software developers use bounty hunting as one of the main methods to debug system codes and avoid security incidents.
And as you can already guess, smart contract bug bounty is one of its subdivisions mainly concentrating on smart contract vulnerabilities and security exploits.
So, let’s go on and explore more about smart contract bug bounty programs and their characteristics.
Bug Bounty Hunting: Overview
Bounty hunting refers to receiving compensation and recognition after reporting identified bugs and errors within the code of security exploits. As a result, software developers can quickly resolve all the issues and debug the smart contract code before the general public notices them.
Simply put, bounty programs allow ethical hackers to test a company’s applications and check if they contain certain types of vulnerabilities or not. Then, they report vulnerabilities through special platforms like HackerOne. Afterward, the company running a bounty program validates the accuracy of the provided information and rewards the ethical hackers with the promised bounties.
Top Bounty Programs
Various organizations and companies run bounty programs. Naturally, details and requirements can vary from one company to another. So, let’s review some of them together.
Lossless Bug Bounty Program
Lossless has launched this bounty program in cooperation with Immunefi, with the main focus on a smart contract. The bounty program is designed for preventing:
- governance funds theft
- disruption of government activity
The reward amount is decided according to the five-level scale based on the security impact.
For smart contracts, the rewards are as follows:
- Low – $1,000
- Medium – $3,000
- High – $20,000
- Critical – $50,000
All these options’ essential requirements are PoC and a solution suggestion for a successful exploit.
Additionally, the company will accept only the following impacts:
- Governance and user funds loss
- Manipulation of votes
- Gas drainage of smart contracts
The list of vulnerabilities excluded from compensation:
- Basic economic governance attacks
- Absence of liquidity
- Incorrect data or manipulation attacks
- Any attempted attack and other social engineering attacks
- Any testing with third-party smart contracts
- Unpatched vulnerability or traffic public disclosure
Sögur Smart Contract System
Sögur Smart Contract System launches another bug bounty program. Here, the compensation size depends on the scope of the detected issue and varies from $1,000 to $50,000.
Sögur’s bounty program rules are as follows:
- Only detailed reports with remediation solutions are accepted.
- You can submit only one error per report. Exceptions can be the situations when it’s necessary to mention a series of vulnerabilities for providing impact.
- Multiple vulnerabilities caused by the exact source of the issue will be awarded only one bonus.
Vulnerabilities that are out of scope:
- OS-related issues
- Attacks requiring MITM or personal access to user devices
- Vulnerabilities related to the provided Ethereum client
- Previously known vulnerable libraries
- Blockchain incorrect data supplied by other party oracles
Chainlink Bounty Program
The focus of this program is the Chainlink smart contract and its node. The highest bounties are designed for vulnerabilities that can cause fund losses for the node requester.
- Mentions of confidential data like API keys, access tokens, etc.
- SGX-related errors
- Unauthenticated/login/logout CSRF
- Denial of service attacks automated testing generating a high amount of traffic
- Any attack that leads to damage attacks requiring access to credentials
The bug report will receive bounties after the provided vulnerability issues are correct.