Polymesh Bug Bounty Program
Overview
Welcome to the Polymesh Bug Bounty Program. Polymesh is the software that powers the nodes of the Polymesh blockchain. We want Polymesh to be robust and be the best it can be. This is where we need your help, to assist us in finding bugs and vulnerabilities. Confirmed bugs or vulnerabilities will get monetary rewards (bounty). Please see our Rules & Rewards section for more details.
To get started, Read the Rules and the Developer Documentation, to learn about how to setup Polymesh and how to approach the bug bounty program.
Having some prior knowledge about capital markets and Rust language can be beneficial. If you have still have any questions, reach out to us on our Discord server, or email us at [email protected].
Looking for the Vulnerability Disclosure Form? You can find it here.
(By participating in the Polymesh Bug Bounty Program, you agree by the program's Terms and Conditions)
You can also submit the bug reports on our Bug Bounty program on Immunefi.
Bounty Scope
The bug bounty will be applicable for the following repositories, sources and sites:
Following are out of scope:
- https://github.com/PolymeshAssociation/Polymesh/tree/develop/contracts
- “test” code - i.e. javascript integration tests or unit tests are not in scope.
Rules
- Rewards will be decided on a per case basis. This bug bounty program's terms and conditions are at the sole discretion of the Polymesh Association.
- Rewards will vary depending on the severity of the issue.
- Disclose the bug only on the platforms approved by us (Federacy/Immunefi). Do not disclose a bug or vulnerability anywhere else to the public. Doing such would disqualify it from being considered for a reward.
- The bugs being considered for the reward are based on first come first serve basis, duplicate bugs will not be considered.
- If you want to add more information to a provided issue, edit the original report, do not create a new submission.
- Other variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
- Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Polymesh Association.
- Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won't be eligible for a reward.
- Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission process invalid.
- It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be eligible for a reward.
- By participating in the Polymesh Bug Bounty program, you agree to abide by the terms and condition of the program.
We may modify the terms or terminate this program at any time.
Vulnerability Classification and Rewards
| Severity | Description / Example | Reward |
|---|---|---|
| CRITICAL (CVSS 9.0 - 10.0) | Transaction manipulation /censorship, double-spending, POLYX minting, unauthorized token minting, staled or undermined consensus/network, governance censorship or compromise, manipulation of signing keys or master keys to gain unauthorised access to an identity. | USD 6000 - 10000 |
| HIGH (CVSS 7.0 - 8.9) | Ability to use an extrinsic panic unexpectedly without proper handling, block the on-chain governance system from it's expected behaviour, block other users from their ability to perform expected tasks (griefing). | USD 2000 - 6000 |
| MEDIUM (CVSS 4.0 - 6.9) | Ability to put chain data into an unexpected state which otherwise doesn't cause any disruption, forcing the emission of events which are incorrect. | USD 500 - 1500 |
| LOW (CVSS 00 - 3.9) | DoS'ing of the operator nodes, incorrect data being logged through events. | USD 200 - 600 |
Exclusions
While researching, please refrain from:
- Denial of service in general and of Public RPC nodes
- Attacks that consume a substantial amount of Testnet POLYX and which would otherwise be cost-prohibitive on Mainnet
- Spamming
- Social engineering (including phishing) of Polymesh Association's staff
- Any physical attempts against Polymesh Association's property or data centres
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
However, please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party, that third party is not bound by the rules of this program and may determine, at their sole discretion, whether to pursue legal action. The Polymesh Association cannot and does not authorize security research on other entities.
Please see Safe Harbor Conditions in our Terms and Conditions for full details.
References
Submitting a bug
Once you find a bug, please report it to us via Federacy.
Additionally, Immunefi is also running our Bug Bounty program, you can report it there too.
Please try to be detailed, specific, and clear when you fill out this form. Once we receive your report, we'll be in touch soon.
Terms and Conditions
The Polymesh Bug Bounty Program is governed by our Terms and Conditions defined here.
By participating in the program, you agree by these Terms and Conditions.
Contact us
If you need help, please feel free to contact us over email at [email protected] Or join our developer community in our Discord server