Archethic Bug Bounty Program

Archethic Bug Bounty Program


Description of the Program

Archethic is a Layer 1 blockchain protocol. We have innovated multiple aspects of the blockchain design to achieve scale, security, sustainability, and simplicity without foregoing the core tenet of decentralization. All these innovations have been thoroughly researched and they are now being implemented. Any such innovation takes time due its complexity. Moreover, the absence of similar architecture makes it difficult to assess, benchmark and validate.

We are launching the bug bounty program to involve our community in this effort to deploy a truly decentralized ecosystem that is ready for mass adoption. There would be another phase of bounty program in future, which will be launched after stabilization. To test and validate the network, we would be launching the code on real mainnet nodes.

Unlike other bug bounty programs, our community would be testing the stability and functionality of the real mainnet nodes. This means that even though it is the mainnet, we would be resetting the nodes, if required. Since the tokens are still not migrated to this network there is no risk of loss.

The tokens available on this network would be dummy tokens. Please expect disruption and loss of dummy tokens in case of a reset. Aim is to push the network to achieve the stability and security expected of a large-scale ecosystem.

If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible. The bug bounty program allows Archethic Foundation to recognise and reward members of the community for helping us find and address significant bugs, in accordance with the terms of the bug bounty program set out below.

What is in Scope

The scope would be limited to the following aspects of our blockchain ecosystem:

  • Node

Repository: https://github.com/archethic-foundation/archethic-node

URL: https://mainnet.archethic.net

  • Wallet

Repository: https://github.com/archethic-foundation/archethic-wallet

URL: Download latest version here, https://archethic.net/aewallet.html

  • AE Web

Repository: https://github.com/archethic-foundation/aeweb-cli

In node, the community can use the faucet to fund the wallet. These funds can then be used to test P2P transfer or to deploy website using AE Web. Community members should evaluate the transfers and wallet fund movements in beacon chain to find any bugs related to network summary of transactions. These are just some of the examples of testing scenarios.

What is NOT in Scope

Archethic website (https://www.archethic.net) testing is not in scope, but we would gladly accept any suggestions that you may have. Our community has been providing valuable feedback regarding this asset and we appreciate the same. In the case of the Archethic wallet, user interface defects related to the type of device, screen resolution or Android version are out of scope.

For Archethic node, issues related to connectivity, latency or internet disruptions are out of scope. Similarly, any translation or typo defects would not be recognized for reward, but such suggestions always help us improve the user experience.

The core aim of this program is stability and integrity of the network. Hence the community involvement is meant to find bugs that help in achieving that goal and reward such valid submissions. The final decision regarding the validity of any bug is with the foundation bug bounty panel.

Only the targets listed under in-scope are part of the bug bounty program. For example, our infrastructure, such as dns, email etc, are not part of the bounty-scope.

Guidelines

The bug bounty program is an experimental and discretionary rewards program for our active community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of the foundation bug bounty panel.

Local laws may require the foundation to ask for proof of your identity. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.

  • Issues without a PoC or that have already been submitted by another user or are already known to core developers are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty.
  • Please do not make repeat submissions of low quality, rejected or automated vulnerability reports. In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
  • To the extent that you propose a fix that includes code, we will be glad to discuss the terms of contribution in respect of that fix so that we can deploy it going forward.
  • Employees and contractors of the Foundation, Uniris, Archethic Technologies or core development team in scope of the bounty program may participate in the program but will not receive monetary rewards.
  • You must be old enough to be eligible to participate in and receive payment from this program in your jurisdiction, or otherwise qualify to receive payment, whether through consent from your parent or guardian or some other way.
  • Archethic bounty program considers a number of variables in determining rewards. Determinations of eligibility and all terms related to an award are at the sole and final discretion of the foundation bug bounty panel.

Bounty Reward Description

The reward for eligible bugs can be up to USD 10,000 in UCO based on the severity and impact. The decision is at the discretion of the foundation, but we will pay significantly more for particularly serious issues. The foundation will also determine rewards based on:

  • Quality of description: Higher rewards are paid for clear, well-written submissions.
  • Quality of reproducibility: A Proof of Concept (PoC) must be included to be eligible for rewards. Please include test code, scripts, and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
  • Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.


Each bug will only be considered for a reward once. Bounty eligible bug hunters will be asked to send their wallet address. The local laws may require the foundation to ask for proof of your identity. Rewards will only be distributed after the mainnet bridge is activated and all the tokens are moved to their native form on the mainnet.

The conversion of reward money to UCO would be based on the closing price on the date of bug submission given by Coingecko.com:

https://www.coingecko.com/en/coins/archethic/historical_data

How to Report a Bug?

We have created GitHub repository for this program: https://github.com/archethic-foundation/bug-bounty. Community members should report their bugs directly in GitHub within this repository. We have created an issue template to guide you in your submission within the GitHub. You can report bugs using this template.

How to create issue in GitHub?

https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-an-issue

We also have a standard Archethic Improvement Proposal (AEIP) mechanism. Please use the guidelines provided in GitHub for suggesting improvements: https://github.com/archethic-foundation/aeip

For each valid and eligible bug you find, you will earn rewards.

Legal Safe Harbour

If you conduct genuine, in-scope, bug hunting research in good faith and in accordance with this policy we will consider your actions to be legitimate and will not seek prosecution. But for the avoidance of doubt, this does not give you permission to act in any manner that is inconsistent with the law or might cause Archethic to be in breach of any of its legal obligations.

Decentralized networks are interconnected with third-party systems and services. While we can authorize your research on Archethic’s systems and services, but we cannot authorize efforts on third-party products or guarantee they will not pursue legal action against you.

If you are not sure whether your conduct complies with this policy or if you have other queries regarding the program, please contact us at bug-bounty@archethic.net and we will do our best to clarify.


Archethic Public Blockchain

Archethic is a Layer 1 aiming to create a new Decentralized Internet.

Its blockchain infrastructure is the most scalable, secure & energy-efficient solution on the market thanks to the implementation of a new consensus: "ARCH".

Archethic smart contracts expand developers' boundaries by introducing internal oracle, time-triggers, editable content & interpreted language.

Through native integration for DeFi, NFTs & decentralized identity; Archethic offers an inclusive and interoperable ecosystem for all blockchains.

In order to achieve the long-term vision of an autonomous network in the hands of the world population, we developed a biometric device respecting personal data privacy (GDPR compliant).

Making the blockchain world accessible with the tip of a finger. Be the only key! https://www.archethic.net/


Archethic Foundation

Non-profit in order to manage decentralized governance of the public blockchain


Do you want to learn more?  

White Paper
Yellow Paper


Join our community!  

Telegram
Discord
Twitter
GitHub
YouTube