Ocean Protocol Bug Bounty Program

[Anirudh2490]

Ocean Protocol Bug Bounty Program

Ocean Protocol is launching the Ocean Bug Bounty Initiative. We are inviting the entire community and all bug bounty hunters to help identify bugs in our protocol.

How can you help?

We are always working hard to ensure that our code is bug-free and we have security checks, tests and other measures in place, but there could always be possibility of issues that were overlooked by us. We need your help to make Ocean ecosystem secure for everyone. Our bug bounty program is an initiative to reward members of Ocean Protocol's community for helping us find and address significant issues that can impact the security of our protocol.

We invite you to look through and test our different repositories to find and report bugs. In case, you are completely new to Ocean, we have a simple and structured documentation you start by going through to become familiar with the Ocean Ecosystem and its different repositories.

Where to report bugs?

You can fill our our questionnaire. After you report the bug, we will reach out to you for more details.

More information on what to report

Upon applying, please fill out on the questions in the form. Here are some of the things we will need

• E-mail address: Please provide your e-mail address so that we can reach out to you concerning the status of submitted work as well as the reward.
• Bug description: Please provide a description of the bug, its potential impact, and steps for reproducing it or a proof of concept.
• Repository - Please provide a link of the Ocean repo on Github where you've discovered the issue
• Severity level: According to your estimation, what would the severity level be and why? The severity level of the issue is based on your discretion and can vary from ours. We reserve the final right to award the severity level, but would also want to know your estimation.
• Attack Scenarios: If applicable
• Any other info: If applicable

How to report severity levels

When thinking about the severity level of the bug you are reporting think about it a) How many people can this bug affect? b)What is the probability of this bug occurring? The severity level and subsequent reward will be based on these two questions.

Here is the Severity Level based on the Ocean components.

L1 (High) - Keeper Contracts, other Smart Contracts and Secret Store L2 (Medium) - Brizo, Aquarius, and Squid design/implementation. L3 (Low) - Pleuston, all the Data science projects and other active projects.

Please note that the bounty rewards will be based on the severity level. Here are 3 examples

• A bug that reports data loss, data corruption, loss of tokens (through various means), system unavailable, important functionality missing with no work-around can be categorized as a High Priority bug and must be fixed immediately.
• A bug that results in functionality being unavailable/not working but has some work-around, is not behaving as described, failing in integrations but not serious enough to result it loss of tokens can be categorized as a Medium Priority bug. It may be fixed in the upcoming sprint.
• Minor bugs and issues can be categorized as Low Priority and can be fixed when time is available.

Out-of-scope bugs

We will be rewarding bounties only for the above mentioned components. Anything outside of that will not be considered. For example, bugs on the website will not be considered for this bounty. You may report other bounties via. our Open Waters bounty.

Claiming The Reward

Here are the general guidelines for rewards for this bounty.

• The minimum reward for eligible bugs is equivalent to 100 Euros paid out in Ocean tokens.
• Rewards for the Bug Bounty Rewards will be based on severity levels of bugs reported and will be completely dependant on our discretion. Rest assured, we will be fair and just with compensation.
• Each bug will be considered for a reward once.
• Rewards can go upto 10,000 Euros for the severe bugs.

Once the bug is submitted, our team will reach out to you for more information regarding the issue. After the verification process is completed, we will start the steps of transferring the tokens to you.

PROCN is a proto-Ocean token. Bounty hunters that earn PROCN will be able to convert them 1:1 to Ocean tokens on network launch (Ocean Token will be valued at at 0.22 EUR on network launch). Network launch is expected to happen by Mar 31, 2019. Until then PROCN will be locked and non-transferrable in the ETH wallet to which it is delivered to. Incase the submission happens after network launch, we will be transferring in real Ocean tokens.

Things to know

The bounty lifecycle process including payout will be managed using Gitcoin. We'll be responding to your questions here, but for discussion and clarification we recommend to join also our Gitter channel where our tech community is accessible. In order to see the PROCN balance in your wallet you'll need to reference the related token contract with address 0xf2aabdd898a0139195b2b5da7387d43a45ded254. If you use a Metamask plugin you'll find the the exact steps here. Lastly, even if it is a contest bounty, we will reward all valuable contributions and efforts. We greatly appreciate the value our open source community brings to Ocean and will always award some tokens to all great contributions! :smiley:

[petertrapasso]

Hi guys!

Is your bug bounty program still open?

[schniggie]

Howto report security vulnerabilities nowadays? Looks like you enjoy the hard way of full disclosure?