Witnet Incentive Program : Find Bugs and Build

[tomsanch]

Witnet Bug Bounty Program

Submit before 7th October 2020 and your reward may be applicable for a multiplier, as specified in the Reward Criteria below.

The Witnet community appreciates the assistance of the Gitcoin community in exposing and fixing vulnerabilities that will ensure the Witnet protocol is robust leading up to (and in the months following) the launch of Mainnet in October 2020. The Bounty Program was announced in July 2020 as part of the Witnet Testnet Incentive Program, and we are now happy to open it up to the Gitcoin community.

For full terms and conditions on the Program, please click here.

About Witnet

Witnet is a decentralized oracle network (DON) that connects smart contracts to the real, off-chain world. Broadly speaking, it allows any piece of software to retrieve information published at any web address at any point in time, with complete and verifiable proof of the information's integrity, without blindly trusting any third party.

The Witnet protocol achieves this by permitting a network of computers to act as a "decentralized oracle" that retrieves, attests and delivers information to smart contracts, with no single point of trust.

Response Target

The Witnet Foundation will try to meet the following SLAs when any reported bug is made by a member of the security community:

Stage	Response Time
Initial Response	within 10 days
Report	20 days
Bounty Distribution	Up to 6 weeks
Resolution	TBD based on severity and complexity of bug reported

We’ll do our best to ensure all communication is clear and concise throughout the process.

Rewards and Judging Process

Submit before 7th October 2020 and your vulnerability may be applicable for a reward multiplier, as specified below.

Generally speaking, any bug that poses a significant vulnerability, either to the soundness of protocol and protocol/implementation compliance to network security, to classical client security as well as security of cryptographic primitives, could be eligible for a reward.

The Witnet Foundation will take into account:

• Depth and scope of research from the Bug Hunter, and the quality of analysis
• The criticality of the bugs/vulnerabilities
• Ease at which the Witnet Foundation is able to recreate the vulnerability

Category	DAI	Reward Multiplier (submit before 7 October 2020)
Critical	Up to $5000	Up to $10000
High	Up to $2000	Up to $3000
Medium	Up to $1000	Up to $1300
Low	Up to $300	Up to $400

What’s Eligible for Reward?

Uncovering a bug that poses a significant vulnerability to:

• the soundness of the protocol
• protocol / implementation compliance to network security
• classical client security
• the security of cryptographic primitives
• security issues with certain services that the Witnet Foundation offer

Attacking the Witnet network by:

• specifying an attack which potentially affects liveness, safety or censorship resistance on the Network
• eclipsing a particular node and running a double-spend attack

Creating a data request that:

• potentially affects the long-term or short-term fairness of distribution, liveness or security of the network

Running a Witnet<> Ethereum bridge node that:

• breaks the security assumptions offered by the interaction with the Ethereum chain and convinces a client smart contract of a fake result

What’s Not Eligible for Reward?

These bugs and attacks will NOT be eligible for any reward:

• any vulnerability or limitation already known by the Witnet Foundation, as listed on this document
• any bug found on the Witnet websites witnet.io and all the third-level websites on those domains
• any bug found on an application not built by the Witnet Foundation or by the Witnet community
• any bug found on the third-party libraries that the Witnet Protocol utilizes
• bugs which have already been submitted by another user or are already known to the Witnet team or have already been publicly disclosed
• any other bug deemed irrelevant or insignificant by the Witnet Foundation
• any bug found by Witnet Foundation employees or any other person employed in any way by the Foundation, directly or indirectly, or anyone engaged by a user of the Witnet codebase to review or audit Witnet code (which has been specifically developed for that user) in exchange for remuneration

Please note: it’s entirely at the Witnet Foundation’s discretion to decide whether a bug or an attack is significant enough to be eligible for reward.

Resources

General info:

• Witnet Overview → https://witnet.io/about
• Witnet Whitepaper → https://bit.ly/WitnetWP
• Witnet Must-Read Digest → https://bit.ly/WitnetMR
• Run a Node → http://bit.ly/WitnetRunANode
• Witnet YouTube → https://bit.ly/WitnetYouTube
• Quick tutorial on creating a price feed contract → https://bit.ly/2SrJuLO
• Intro to the Ethereum<>Witnet bridge → https://bit.ly/37nfZ1X

Community info:

• Telegram → https://t.me/witnetio
• Discord → https://discord.gg/X4uurfP
• Twitter → https://twitter.com/witnet_io

Technical info:

• witnet-rust GitHub repo* → https://github.com/witnet/witnet-rust

  • Witnet Node* → https://bit.ly/31fhfUQ
  • RADON* (Witnet's DSL) library → https://bit.ly/3ghGOJj
  • Wallet → https://bit.ly/3j0xHhH
  • P2P modules → https://bit.ly/2QaHhCx
  • Validations → https://bit.ly/2ErI67q
  • Buffer schemas → https://bit.ly/31iRfYN

• Witnet Truffle Box* → https://bit.ly/2OT1XhQ

• Repo with price feed ready to compile and migrate → https://bit.ly/2SI1Uqt

/ * These are priorities for this program. Bugs or vulnerabilities which threaten the security of funds for the node operators or data requestors will be rewarded with the most generous rewards.

Disclosure Policy

By participating in this program, you will:

• not discuss any vulnerabilities (even ones that have been addressed) outside of the program without expressed consent from the Witnet Foundation.
• not violate the privacy of other users, destroy data, etc.
• not defraud or harm the Company or anyone in the Witnet Community during your research; you should make a good faith effort to not interrupt or degrade Witnet Technologies.
• not target the Company’s or any member of the Witnet Community’s physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
• investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to the Company, the Witnet Protocol, or its users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
• follow HackerOne's disclosure guidelines as laid out here

Submitting a Bug or Vulnerability

Please provide a detailed report with completely replicable steps. Send your report to testnet@witnet.foundation and include the following:

• your name
• your GitHub profile
• a description of the bug or attack
• a severity level of the bug (based on the OWASP guidelines)
• a description of the attack scenario (if any)
• a list of the components affected
• a report on how to reproduce the bug or attack
• any other details

Furthermore:

• On the email subject, please use the following format: WITNET BUG/ATTACK[SEVERITY LEVEL] (the severity level of the issue is discretional to your understanding of the submission, and will be later reviewed by the Witnet Foundation)
• If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• If you have more than one to report, submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• In the case where multiple individuals submit the same bug, we only award the first report that was submitted.
• Each underlying root issue will be liable for only one bounty, even if it causes multiple vulnerabilities.

Submissions must be made before the 12 Jan 2021. Submissions made before October 7 2020 may be applicable for a reward multiplier, as specified above.

A huge thank you from the Witnet community! We look forward to hearing from you.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 30000.0 DAI (30000.0 USD @ $1.0/DAI) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  • Want to chip in? Add your own contribution here.
  • Questions? Checkout Gitcoin Help or the Gitcoin Chat
  • $765,046.81 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work has been started.

These users each claimed they can complete the work by 2 months, 1 week ago. Please review their action plans below:

1) bocryp has started work.

my bug bounty 2) ruslimjr has started work.

Tentang agama Islam. 3) x00x00 has started work.

Web application pentesting, network pentesting 4) ali2210 has started work.

Find Bugs in Decentralized Oracle Network (DON), find attacks where bad actors temper the system or take advantage. Prove worthiness of content. 5) cjsaveas has started work.

I'd like to give it a try, hope I can finish this job. 6) korobeiniki17 has started work.

Total Number of Vulnerabilities Detected: 12 in witnet host, but I believe there are many more vulnerabilities that cloudflare is blocking to run, anyway if you want a complete scan of your platform I will need you to disable cloudflare or create a clone of the website for me to do penetration tests.

Learn more on the Gitcoin Issue Details page.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work for 30000.0 DAI (30000.0 USD @ $1.0/DAI) has been submitted by:

---

• Learn more on the Gitcoin Issue Details page
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin's Discord
• $1,793,362.48 more funded OSS Work available on the Gitcoin Issue Explorer

[aesedepece]

@korobeiniki17 Hi, thanks for your effort. I'm sorry to inform you that your submission is not eligible for a reward under the terms of this bounty program, which explicitly excludr any bug found on the Witnet websites witnet.io and all the third-level websites on those domains.