We are excited to announce that today our new Bug Bounty program has gone live with the support of Bugcrowd!
This program is initially rolling out to a curated list of select security researchers managed by Bugcrowd while we iron out any kinks and get the program up to full speed. After that, Bugcrowd will be inviting more researchers to the program in waves over the next few weeks, with the goal of opening up the Bounty program to their entire network of millions of security researchers, before the end of the year.
To initially start, we worked with Bugcrowd to set our bounties at values they recommended as the most practical for our needs, based on their experience with the other projects they manage. As time goes on, if we feel these results do not meet the needs and expectations of the security researcher community, we will revise them if needed.
Here are the current ranges as of this writing:
- P5/Info - $0
- P4/Low - $200-$400
- P3/Moderate - $600-$850
- P2/Severe - $1500-$1750
- P1/Critical $5,000 - anything+
On the critical P1s, while the range starts at the 5k mark, ultimately it depends on the scope of what is found.
The scales themselves are what was advised to us by Bugcrowd, based on the few thousand programs they currently manage when compared against our needs and specifics. As time goes on (part of this slow ramp-up phase) we will adjust them if needed, based on feedback from the security researchers submitting issues and our account managers at Bugcrowd. As to what classification an issue goes into, it is a industry standard matrix Bugcrowd uses called VRT - Vulerability Rating Taxonomy.
If you are a security researcher who is passionate about blockchain technology and the work we do here at Chia, we encourage you to sign up and join their community (assuming you already aren’t part of it!) and join in as soon as you are able in one of their waves. It’s not often I am excited about spending large sums of money, but paying out security researchers for quality findings is definitely one of those reasons!
(When the time comes that we’re able to fully open to program to all members of the Bugcrowd platform at large, we’ll be sure to update everyone again at that time!)