Introduction
Credits improves its technology day after day and makes head with a credible faith in decentralized future. The only way to succeed in the modern IT market is to work side-by-side with technology-savvy researchers in order to remedy any weaknesses. It is for that reason Credits team launches the first stage of Bug Bounty Campaign. Credits invites all interested developers and security experts to participate in the program. The first stage is aimed to optimize source code, eliminate vulnerabilities and improve the platform’s security.
The overall prize fund of the first stage is 500 000$. All payments will be made in USD and BTC/ETH/CS coins accounting for developer’s taste.
Steps to participate:
- Fill out the registration form — https://forms.gle/nEP7HhyFS8XSfpy4A
- ATTENTION! Search bugs in platform modules that are included in Bug Bounty Program (more information in section “Assets in Scope”)
- Provide information about bugs through the ISSUE request in the repository where you found a bug. Credits official Github — https://github.com/CREDITSCOM (Read more in the section “Reporting and investigating bugs”)
- The Credits team will review all bugs and will provide you with feedback as quickly as possible via the comments on the page with a specific bug.
- Distribution of rewards will be carried out in USD or cryptocurrency that you select in the form of registration (BTC, ETH, CS)
Software Assets in Scope
The following components of Credits Platform are included in 1 Stage of Bug Bounty Campaign:
- Network Node — blockchain software — https://github.com/CREDITSCOM/node
- Contract Executor — application for deployment and execution of smart contract methods — https://github.com/CREDITSCOM/contract-executor
- Wallet Desktop — desktop wallet application — https://github.com/CREDITSCOM/wallet-desktop
- CScrypto — library submodule for node repository — https://github.com/CREDITSCOM/cscrypto
Investigating and reporting bugs
If you have found a bug, please submit a report through creating a new issue on Credits Github. Note that you are able to submit reports only regarding components of the platform included in “Software in Scope”.
- Asset. Chose the repository the bug is related to and create a “New Issue” in it. (For example, node software — http://prntscr.com/o8aoqp)
- Severity. Chose the level of vulnerability according to the table in “Qualifying Vulnerabilities”
- Summary — Add a summary of the bug
- Description — Any additional details about this bug
- Steps — Steps to reproduce
- Supporting Material/References — Source code to replicate, list any additional material (e.g. screenshots, logs, etc.)
- Impact — What impact does the found bug has, what could an attacker achieve?
- Your name and country.
Software to use
The Bug Bounty Campaign is held in the TestNet Release 4.2 network. Participants have two ways to install the necessary software and enter the network:
1) For convenient installation we recommend you to use completed binaries available through the following links:
2) Developers are also able to compile software using source code available on Credits Github. Check the instruction below:
- Download “node” using “bug_bounty” branch, then follow instructions in Readme file,
- Download “contract-executor” using “bug_bounty” branch, then follow the instruction in Readme file,
- Download “wallet-desktop” using “bug_bounty” branch, then follow the instruction in Readme file,
- Connect to the TestNet, through the entry server 169.50.169.10, port 6018;
- You are able to check transaction using blockchain explorer — Credits Monitor. Remember, that it is not included in “Assets in Scope” for Bug Bounty Campaign.
- You will automatically receive coins for testing of TestNet Release 4.2 network after registration will be done (check “Steps to participate”).
Qualifying Vulnerabilities
- For all “Software in Scope” there are several degrees of bugs which will have a different amount of rewards.
- For multiple bugs with one underlying root cause, where one fix can be applied to remediate, we will consider this as one vulnerability and only award once.
- The only first developer who has found bugs will get a reward
- Developers are able to submit fixes for found bug using “Pull Request” on Credits Github. In case that developers’ correction will be considered like a viable the amount of reward will be increased in 3 times
For scenarios that do not fall within one of the above categories, Credits team still appreciates reports that help us to make the platform more secure and stable. In general, developers will be rewarded on the basis of table above. Please note these are general guidelines, and that final reward decisions are up to the discretion Credits technical team.
Requirements and Rules:
Follow the campaign conditions and do not perform prohibited actions in order to get a reward.
- The total amount of remuneration depends on the risks and the impact of the bug on the work of the services and will be determined by the technical team of the project individually
- Placing the content inside the smart contract is prohibited
- The size of the smart contract is limited to 1 MB
- Attacks on Denial of Service are prohibited
Legal Information
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.
If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.