Obyte's Bug Bounty Program Offers up to $50,000 in Rewards

There are numerous ways to earn in the Obyte ecosystem, and one of those ways could give a massive reward to skilled developers. We take our security very seriously, so we have a bug bounty program for enthusiasts worldwide to check if our code and features could be vulnerable to threats. This program, hosted by the platform Immunefi, is offering up to $50,000 per critical bug.

Immunefi serves as a leading bug bounty and security services hub for crypto projects, ensuring the protection of over $60 billion in user funds across numerous projects. With an inclusive approach, they cover a wide range of chains and networks, including Obyte. They classify the bugs on a 5-level scale: none, low, medium, high, and critical for the ledger itself (DLT), their smart contracts, or their websites and apps.

In the case of Obyte potential bugs, the payouts start at a medium level with 1,000 USD per reported threat on websites, applications, and smart contracts. High severity threats receive 2,500 USD, and critical bugs in the ledger or its smart contracts have the maximum allocation (50,000 USD). All of this could be paid in GBYTE, BTC, or OUSD (a stablecoin on Obyte).

What kind of bugs count for rewards?

The Obyte bug bounty rewards program encompasses specific impacts in different domains. For the DLT category, critical impacts like network shutdown, unintended chain splits requiring hard forks, and direct loss or freezing of funds of the users are eligible. Critical and high impacts also involve network stability concerns, including RPC API crashes and consensus failures. Medium and low impacts cover scenarios such as excessive node compute consumption and transaction fee underpricing.

Within the Smart Contract domain, critical impacts extend to direct theft or freezing of user funds, as well as manipulation of governance voting results. High impact includes theft or freezing of unclaimed yield, while medium impact involves cases like smart contract operation hindrance and griefing attacks. Low-impact instances involve contract failures to meet return commitments without losing value.

In the Websites and Applications sector, critical impacts encompass severe actions like executing system commands, stealing sensitive data, and disrupting applications. High impacts involve actions such as spoofing content or disclosing confidential information, while medium impacts pertain to privilege escalation and API key leakage.

Certain vulnerabilities and activities are excluded, like attacks where an individual exploits themselves, and theoretical vulnerabilities without proof. Testing on mainnet or public testnet contracts, phishing attempts, and DDoS attacks are prohibited. Automated testing generating significant traffic is also disallowed, and public disclosure of unpatched vulnerabilities under embargo isn’t allowed.

How to report bugs?

The first step is to sign up on Immunefi and press “Submit a report” in the personal dashboard. Then, you select the asset involved (Obyte, in this case), the GitHub repository in which you found the bug, and the impact that bug may cause —direct theft of user funds, for example. The next stage is selecting the severity level, according to the Immunefi scale.

The report itself comes afterward and must include details like description, impact, risk breakdown, recommendations, and references. In the case of Obyte, all web and app bug reports must come with a Proof-of-Concept (PoC) or detailed steps to reproduce the issue. Bug reports submitted without a PoC will be rejected with instructions to provide one. You can add a secret Gist environment to support your PoC.

Finally, if you’re eligible for a reward, you need to share your wallet address to receive it. A review process will start from there by the Obyte development team, and you can check the status of your submission in your Immunefi dashboard. It could have nine conditions: Reported, In Review, Needs More Information, Triaged, Escalated, Confirmed, Mitigated, Paid, and Closed. And that’s it!

Obyte has already paid around 5,000 USD to white hats through Immunefi –and around 10,000 USD for bug reports before this program as well. If you’re ready to help us improve the Obyte ecosystem, you can also check our resources for developers and our GitHub repositories. Happy coding!

Featured Vector Image by storyset / Freepik