Sign in Subscribe

Archethic Bug Bounty Program

Nilesh Vijay Patankar

6 min read
Archethic Bug Bounty Program
Last updated on Jan 31, 2023

Description of the Program

Archethic is a Layer 1 blockchain protocol. We have innovated multiple aspects of the blockchain design to achieve scale, security, sustainability, and simplicity without foregoing the core tenet of decentralization. Such innovations take time to develop and implement due to its complexity. Moreover, the absence of any similar architecture makes it difficult to assess, benchmark and validate.

We launched the bug bounty program last year to involve our community in this effort to deploy a truly decentralized ecosystem that is ready for mass adoption. This year we are launching the next phase of bounty program. The earlier scope of the bug bounty is still valid, and we are now adding the bridge to that scope.

The bridge will connect the TestNets of Ethereum, BSC, Polygon and Archethic during the Phase 1. Based on the test results and community feedback Phase 2 will be launched on MainNets of the respective blockchains. The testing phase of the bridge is critical since the robustness will ensure that tokens are safely migrated to their native Archethic network.

Since the Phase 1 testing is done on TestNet tokens, we urge the community to stress the bridge and try various scenarios without any risk of loss. As mentioned earlier, the robustness of the bridge will ensure safe migration of real tokens. Aim is to push the network to achieve the stability and security expected of a large-scale ecosystem.

If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible. The bug bounty program allows Archethic Foundation to recognise and reward members of the community for helping us find and address significant bugs, in accordance with the terms of the bug bounty program set out below.

What is in Scope

The scope would be limited to the following aspects of our blockchain ecosystem, this includes the earlier scope:

  • Bridge

  Instructions Blog: https://blog.archethic.net/bridge-launch

  Repository: https://github.com/archethic-foundation/erc20-atomic-swap

  • Node

  Repository: https://github.com/archethic-foundation/archethic-node

  URL: https://mainnet.archethic.net

  • Wallet

  Repository: https://github.com/archethic-foundation/archethic-wallet

  URL: Download latest version here, https://archethic.net/aewallet.html

  • AE Web

  Repository: https://github.com/archethic-foundation/aeweb-cli

What is NOT in Scope

Archethic website (https://www.archethic.net) testing is not in scope, but we would gladly accept any suggestions that you may have. Our community has been providing valuable feedback regarding this asset and we appreciate the same. In the case of the Archethic wallet, user interface defects related to the type of device, screen resolution or Android version are out of scope.

For Archethic node, issues related to connectivity, latency or internet disruptions are out of scope. Similarly, any translation or typo defects would not be recognized for reward, but such suggestions always help us improve the user experience.

The core aim of this program is stability and integrity of the network. Hence the community involvement is meant to find bugs that help in achieving that goal and reward such valid submissions. The final decision regarding the validity of any bug is with the foundation bug bounty panel.

Only the targets listed under in-scope are part of the bug bounty program. For example, our infrastructure, such as dns, email etc, are not part of the bounty-scope.

Guidelines

The bug bounty program is an experimental and discretionary rewards program for our active community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of the foundation bug bounty panel.

Local laws may require the foundation to ask for proof of your identity. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.

  • Issues without a PoC or that have already been submitted by another user or are already known to core developers are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty.
  • Please do not make repeat submissions of low quality, rejected or automated vulnerability reports. In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
  • To the extent that you propose a fix that includes code, we will be glad to discuss the terms of contribution in respect of that fix so that we can deploy it going forward.
  • Employees and contractors of the Foundation, Uniris, Archethic Technologies or core development team in scope of the bounty program may participate in the program but will not receive monetary rewards.
  • You must be old enough to be eligible to participate in and receive payment from this program in your jurisdiction, or otherwise qualify to receive payment, whether through consent from your parent or guardian or some other way.
  • Archethic bounty program considers a number of variables in determining rewards. Determinations of eligibility and all terms related to an award are at the sole and final discretion of the foundation bug bounty panel.

Bounty Reward Description

The reward for eligible bugs can be up to USD 10,000 in UCO based on the severity and impact. The decision is at the discretion of the foundation, but we will pay significantly more for particularly serious issues. The foundation will also determine rewards based on:

  • Quality of description: Higher rewards are paid for clear, well-written submissions.
  • Quality of reproducibility: A Proof of Concept (PoC) must be included to be eligible for rewards. Please include test code, scripts, and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
  • Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.


Each bug will only be considered for a reward once. Bounty eligible bug hunters will be asked to send their wallet address. The local laws may require the foundation to ask for proof of your identity. Rewards will only be distributed after the mainnet bridge is activated and all the tokens are moved to their native form on the mainnet.

The conversion of reward money to UCO would be based on the closing price on the date of bug submission given by Coingecko.com:

https://www.coingecko.com/en/coins/archethic/historical_data

How to Report a Bug?

We have created GitHub repository for this program: https://github.com/archethic-foundation/bug-bounty. Community members should report their bugs directly in GitHub within this repository. We have created an issue template to guide you in your submission within the GitHub. You can report bugs using this template.

How to create issue in GitHub?

https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-an-issue

We also have a standard Archethic Improvement Proposal (AEIP) mechanism. Please use the guidelines provided in GitHub for suggesting improvements: https://github.com/archethic-foundation/aeip

For each valid and eligible bug, you find, you will earn rewards.

Legal Safe Harbour

If you conduct genuine, in-scope, bug hunting research in good faith and in accordance with this policy we will consider your actions to be legitimate and will not seek prosecution. But for the avoidance of doubt, this does not give you permission to act in any manner that is inconsistent with the law or might cause Archethic to be in breach of any of its legal obligations.

Decentralized networks are interconnected with third-party systems and services. While we can authorize your research on Archethic’s systems and services, but we cannot authorize efforts on third-party products or guarantee they will not pursue legal action against you.

If you are not sure whether your conduct complies with this policy or if you have other queries regarding the program, please contact us at bug-bounty@archethic.net and we will do our best to clarify.

Archethic Public Blockchain

Archethic is a Layer 1 aiming to create a new Decentralized Internet.

Its blockchain infrastructure is the most scalable, secure & energy-efficient solution on the market thanks to the implementation of a new consensus: "ARCH".

Archethic smart contracts expand developers' boundaries by introducing internal oracle, time-triggers, editable content & interpreted language.

Through native integration for DeFi, NFTs & decentralized identity; Archethic offers an inclusive and interoperable ecosystem for all blockchains.

In order to achieve the long-term vision of an autonomous network in the hands of the world population, we developed a biometric device respecting personal data privacy (GDPR compliant).

Making the blockchain world accessible with the tip of a finger. Be the only key! https://www.archethic.net/

Archethic Foundation

Non-profit in order to manage decentralized governance of the public blockchain

Do you want to learn more?  

White Paper
Yellow Paper

Join our community!  

Telegram
Discord
Twitter
GitHub
YouTube

Sign up for more like this.

Enter your email
Subscribe