ERC-721 Token Reference Implementation Bug Bounty
This documents 0xcert's bug bounty process and how you can get rewarded for finding issues with the ERC-721 Token Reference Implementation.
The leaderboard will list all the contributors of this bounty.
Sponsor this bug bounty if you support ERC-721. This means you will commit to paying researchers that demonstrate a problem. Contact us at email@example.com if interested. Thank you.
Become a sponsor and be listed here as a contributor to the bug bounty fund:
Scope of this bounty program
This bounty is open for an unlimited time. A previous limited-time bounty program was:
- Round 1 — 2018-05-16 at 00:01 CET to 2018-07-16 at 23:59 CET
Help us find any problems with this contract and with ERC-721 in general. This bounty program's function scope includes:
- Overflow or break parts of the implementation
- Steal ownership of a token
- Give a token to somebody else and double spend it or revert it back to your control
- Any undocumented and unintuitive behavior
- Style guide violations (find the current style guide in effect referenced from CONTRIBUTING.md)
Rules and rewards
- Issues that have already been published here or are already disclosed to the 0xcert team are not eligible for rewards (a corollary, the 0xcert team members are ineligible for rewards).
- Social engineering, XKCD#538 attacks, bringing down Mainnet/Infura are not in scope and will NOT be paid a reward.
- Only the end-user contracts (
src/contracts/**/*.sol) are in scope.
- Only the latest released version of this project is in scope.
- Only Ethereum mainnet is in scope. We intend to add other blockchains at a future date such as Hyperledger Burrow, Ethereum Classic, and POA Network.
- GitHub Issues is the only way to report issues and request rewards.
- The 0xcert team has complete and final judgment on the acceptability of bug reports.
- This program is governed under the laws of the Republic of Slovenia, if there is a party that we are unable to pay due to trade embargoes or other restrictions, then we won't pay. But we are happy to cooperate by making alternate arrangements.
Following is a risk rating model that judges the severity of an issue based on its likelihood and impact.
|LOW LIKELIHOOD||HIGH LIKELIHOOD|
|HIGH IMPACT||Medium severity||High severity||Highest severity|
|Low severity||Medium severity||High severity|
|LOW IMPACT||Notable||Low severity||Medium severity|
- Highest severity — full payout of the bug bounty (10 ETH)
- High severity — partial payout of the bug bounty (5 ETH)
- Medium severity — partial payout of the bug bounty (1 ETH)
- All eligible reports (low severity or notable) are mentioned in this thread in a leaderboard and are eligible to receive a special bug bounty tee shirt.
- Additional rewards are available from sponsors. In general, these will follow proportionally as the rewards above.
- 0xcert and sponsors reserve the right to deduct from the bounty pledge when the ongoing bug reports are rewarded.
Examples of impact:
- High impact — steal a token from someone else, impersonate the contract owner
- Medium impact — cause metadata to fail so that the wrong data goes on the blockchain, or waste 5,000 gas or more in a transaction (ignoring transfer-to-self and no-op transactions)
- Low impact — cause a transaction counterparty that carefully reads the contract documentation to make a mistake on some edge case type of transaction
- Notable — it applies mostly to typos
Examples of likelihood:
- High likelihood — affects all users of the smart contract performing a certain function
- Medium likelihood — affects a number of end users in a scenario that actually happens naturally in production deployments
- Low likelihood — affects two end users only if they are cooperating together to exploit a specially crafted transaction
- Notable — affects developers and grammarians but not end users
How to win:
- Be descriptive and detailed when describing your issue
- Fix it — recommend a way to solve the problem
- Include a Specron test case that we can reproduce
Rules for bounty sponsor:
- We will respond quickly to your questions
- We will adjudicate all prizes quickly
Are you really recommending full disclosure as a best practice?
- Yes. Well known losses due to problems with ERC-20 have exceeded tens of millions USD. The best defense we can offer to the community is to be transparent when issues come. Following are two references on this topic to explore further.
- Schneier, Bruce. "Damned Good Idea". CSO Online. Retrieved 29 April 2013.
- Heiser, Jay (January 2001). "Exposing Infosecurity Hype". Information Security Mag. TechTarget. Archived from the original on 28 March 2006. Retrieved 29 April 2013.
⭐️Star this repo if you are using this code. Surely you would want to know of any bugs as soon as possible.
- If you prefer to send us a bug report privately so that a fix can be developed concurrently with the announcement you are welcome to mail us at firstname.lastname@example.org. You are welcome to make a hashed bug report (set issue body to hash of your message). This will still be eligible for payment and recognition.
Will things change during the bounty program?
- Yes, we are seeking sponsors and will add additional prizes here if that happens.
- Yes, we will update the code and redeploy the contract. So, click
⭐️STAR and 👁WATCH above on this repo for updates.
- If you earn so much money that you will need to fill out a tax form, then we will ask you to fill out a tax form. This whole program is subject to the laws of the Republic of Slovenia.
- I read to the bottom of the file.
Released under the MIT License.