æternity is a new blockchain technology, designed to deliver unmatched efficiency, transparent governance and global scalability.

挑战地址与赏金，欢迎挑战：

https://hackerone.com/aeternity/

Policy

Aeternity Bug Bounty Program

Aeternity aims to be a backbone for decentralised applications by providing developers with the necessary infrastructure to deploy these applications. As such, we strive for our systems to be secure while still easy to use.

We want to use this bounty program to encourage independent researchers to engage with our system with the goal of finding possible security flaws.

Contact

Please note that in the case of a successful submission, we will publish detailed post-mortems, that will include most of the information gathered during the disclosure process. If you wish to stay anonymous, either contact us with a throw away account or let us know that you do not want to be named.

Response Targets

Aeternity will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 5 business days

• Time to bounty (from triage) - 14 business days

We’ll try to keep you informed about our progress throughout the process.

Examples of eligible bugs

Critical

• bugs which can take full control of aeternity nodes.

• bugs which can lead to private key leakage.

• bugs which can lead to unauthorised transfer or unplanned generation of coins.

High

• bugs which can incur Denial of Service (DoS) in the aeternity network through P2P network.

• bugs which can incur Denial of Service (DoS) in the aeternity network through the implemented protocol.

Medium

• bugs which can incur Denial of Service (DoS) in the aeternity network through per default and publicly exposed APIs.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Please note that in the case of a successful submission, we will publish detailed post-mortems, that will include most of the information gathered during the disclosure process. If you wish to stay anonymous, either contact us with a throw away account or let us know that you do not want to be named.

If you want to participate in this bug bounty program then please make sure that you are willing to adhere to the following rules:

DO NOT

• disclose vulnerabilities before they have been removed

• engage in social engineering, phishing or the like against project members

• start DoS/DDoS attacks

• actively exploit vulnerabilities in the main production network

• inflict physical harm on hardware belonging to the Aeternity project

DO

• be patient and give us enough time to verify your report

• provide enough information for us to be able to reproduce your findings

Not following these rules will disqualify you from receiving any rewards.

All deadlines mentioned in this document should be extendable if both parties agree.

Also see HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit vulnerabilities only for the latest release, vulnerabilities submitted for older versions are not eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Rewards

Please see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of Aeternity.

Scope

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug

The code found in the following repositories is the scope of this bounty
program:

• https://github.com/aeternity/epoch

• https://github.com/aeternity/enoise

While there are many more software components that make Aeternity what it is, these repositories are essential to the network.

Websites hosted or operated by Aeternity are out of scope of this program.

In general, attacks requiring a significant mining power—e.g more than 25% of the overall mining power of the network—but still operate within the consensus model, such as selfish mining, are out of scope.

We also have an extensive threat model and description of our protocol you can consult for a more in-depth overview.

Safe Harbor

To encourage responsible disclosures, we will not pursue civil action or initiate a complaint to law enforcement for security research and vulnerability disclosure activities conducted in consistence with all this policy guidelines. We consider security research and vulnerability disclosure activities conducted in consistence with this policy and guidelines “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with this bug bounty policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not
us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.

You are expected, as always, to comply with all applicable laws.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

Copyright

In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, we reserve no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.

This document contains material from the #legalbugbounty project, which can be found on github.