If 2018 was the year of the crypto crash, 2019 will be the year of building, as speculation subsides and serious projects come to the forefront. In the spirit of building, the developers behind top cryptocurrency Decred have been behind the scenes creating a community-driven digital currency that aims to be a superior store of value for generations to come. In just three years, they’ve built a transparent proposal and voting system, a continually funded treasury, and a hybrid PoW+PoS consensus mechanism that make the cryptocurrency adaptable, self-sustaining, and secure.
But a lot has to happen before Decred’s vision of building a self-governed, decentralized future ruled by collective intelligence can become a reality. As the crypto space matures, 51% attacks and other vulnerabilities are increasing in frequency — throwing into stark relief the need to improve our overall security posture, and to get a fresh set of eyes on our code and websites. That’s why, today, Decred is announcing an official bug bounty program. Devs of all backgrounds, including newbies to Decred, are invited to hunt for security vulnerabilities — and get paid for it.
With this program, Decred aims to stay true to its core value of leveraging collective intelligence in a decentralized way. That’s why we’re crowdsourcing from many bug bounty hunters, both inside and outside the community, anywhere in the world, to find and fix security vulnerabilities and further our goal of becoming a superior store of value. Impactful contributors will be rewarded handsomely — up to $25,000 for critical fixes.
The rules for participating in Decred’s bug bounty program are simple:
- All bug reports need to have clear reproduction steps and/or proof of concept.
- All bugs must be reproducible in the latest production release or the master branch of the code.
- Bugs in old releases or feature branches are not in scope.
- We prohibit denial of service attacks or network bandwidth load testing.
- We are unable to pay for duplicate reports or reports of bugs which are already known.
- Any type of public disclosure of the vulnerability without prior approval from the bug bounty program will make it ineligible for payout.
- No social engineering.
- No spamming.
- All Current/Past (for up to six months) Decred contractors are barred from taking part in this bug bounty program.
- Vulnerability reports made before the start of the program will not be eligible for a bounty.
- Do not attempt to attack or test on mainnet — the main Decred network. There is a completely separate Decred testnet which is specifically created for software testing. Testing on the public testnet will prevent impact on mainnet and removes the risk of causing real financial damage. It is also possible to create your own personal simnet. Simnet runs on on your own local system, and has a low enough difficulty to mine blocks using a CPU.
How to Get Paid
Decred will use the OWASP Risk Rating Methodology for assessing vulnerabilities and determining payout amount. It will also take into consideration the impact on the Decred ecosystem. For instance, an RCE in dcrweb (low impact) is not the same as an RCE in dcrd or Decrediton (higher impact).
Decred will also consider the quality of the initial write-up and of vulnerability reproduction steps and/or proof of concept. If participants provide a code fix for the vulnerability, they will also be eligible for a “code fix” bonus on the condition that Decred’s existing developers accept it as valid.
All payouts will be in Decred only. Participants will be required to create and operate a Decred wallet. The DCR to USD ratio is based on the the average USD rate of the previous month. Payout amount is decided by a core “bug bounty” group.
Indicative payout amounts are as follows:
Note: Up to 300 USD
Low: up to 1,000 USD
Medium: up to 3,000 USD
High: up to 10,000 USD
Critical: up to 25,000 USD
How to Get Involved
Everyone is invited to participate in the program. To learn more, go to the Decred bug bounty website.
To learn more about Decred, visit the homepage.