Security is a top priority for Hercules. To make sure the protocol stays secure we are officially launching a Bug Bounty program, starting now.
We are very pleased to let you know that the Hercules smart contracts have successfully been audited by Trusted Ledger Solutions, prior to main net launch. In both occasions, no major vulnerabilities have been found, but some minor errors still occur occassionally.
Now that the audits have been completed, we are launching a bug bounty program. The bug bounty currently targets the eight separate smart contracts listed below. The branch to audit is master.
- https://github.com/HERCone/contracts/tree/master/assetTracking
- https://github.com/HERCone/contracts/tree/master/assetVerification
- https://github.com/HERCone/contracts/tree/master/herc-erc777-token
- https://github.com/HERCone/contracts/tree/master/mintableAssetTokens
- https://github.com/HERCone/IICO
- https://github.com/HERCone/contracts/tree/master/base
- https://github.com/HERCone/contracts/tree/master/exchange
All Smart Contracts can be found at https://github.com/hercone
Critical vulnerabilities will be rewarded up to $5,000 USD equivalent in HERC tokens upon launch
The rules of our bug bounty program are the same that apply to the Ethereum protocol: https://bounty.ethereum.org
Issues that have already been submitted by another user or are already known to the Hercules team are not eligible for bounty rewards unless a direct fix is applied.
Public disclosure of a vulnerability makes it ineligible for a bounty.
The Hercules core development team, employees, and all other people directly paid by Hercules SEZC, directly or indirectly, are not eligible for rewards.
The Hercules bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to rewards are at the sole and final discretion of the Hercules SEZC bug bounty panel.
The value of rewards paid out will vary depending on severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood:
Reward sizes are guided by the rules below, but are ultimately determined at the sole discretion of the Hercules SEZC bug bounty panel.
Rewards are paid in HERC. During our Presale HERC is .20 USD and is found at an equivalent cost of .00032 btc as of Oct 14, 2018.
- Critical: up to $5 000
- High: up to $2 000
- Medium: up to $1 000
- Low: up to $500
- Note: up to $100 All bounty will be paid in HERC, which will be easily convertible around 2 months after launch.
- Create a secret gist
- Describe the bug in the created gist
- Wait for security audit to end. Keep your gist private.
- Publish the link to your gist (URL) in an issue comment on this repo.
The first person to create a bug-report gist that is found valid will be rewarded. Reporting issues that are already reported will not be rewarded i.e. if two persons report the same issue, only the one who did it earlier, will be rewarded.
For any questions please report to hackathon@herc.one
The bug bounty program starts now and will not have an end date until communicated otherwise. We encourage you to report the bugs as an issue on the Github repository. You can also email social@herc.one.