Since announcing its new bug bounty program at the start of June, EOS has resolved 42 bugs in its software and handed ethical hackers $348,000 in rewards.
EOS joined HackerOne, a bug bounty platform that partners with the global hacker community, after a Chinese security firm said it discovered “epic vulnerabilities” in the platform. EOS called the report FUD and said most of the reported kinks had already been fixed.
EOS rewards hackers $5,000 to $10,000 for finding critical bugs. The next reward-tiers range from $100 to $5,000.
Issues that qualify for rewards must do one of the following:
- Cause nodeos to crash via the P2P plugins (net_plugin or bnet_plugin)
- Cause nodeos to crash via the HTTP RPC API (http_plugin) with Patroneos protection
- Send a contract into an infinite loop
- Cause a contract to use a large amount of memory (more than 64MB)
- Crash nodeos with a contract
- Trigger unauthorized actions on accounts
- Cause a contract to run for more than 10 ms over deadline
If you want to submit a potential issue to the team, here’s what must be included:
- Asset – What software asset the vulnerability is related to (e.g. EOSIO core software/eosjs)
- Severity – Your opinion on the severity of the issue (e.g. high, moderate, low)
- Summary – Add summary of the vulnerability
- Description – Any additional details about this vulnerability
- Steps – Steps to reproduce
- Supporting Material/References – Source code to replicate; list any additional material (e.g. screenshots, logs, etc.)
- Impact – Type of security impact an attacker could achieve
- Your name and country
You can find out more about the bug bounty program here.