Today, we are announcing our vulnerability disclosure program, colloquially known as a Bug Bounty Program. We previously announced that v0.9.0 of the Pocket-Core application had a security patch in it, which addressed an overservicing bug. This patch was in response to a white-hat disclosure made by a valued community member, PoktBlade (from PoktFund), along with Cristopher Ortega (Backend Engineer at Pocket Network), which was the first disclosure of its kind. In response to this incident, we developed the bug bounty program described here.
How It Works
Current industry standards utilize the Common Vulnerability Scoring System (CVSS) v3.1 to calculate the severity of a software vulnerability across multiple dimensions, including impact, exploitability, remediation, etc. We’ve opted to do the same with our bug bounty program.
At present, our program stands as following:
To qualify for a bounty, all reports must be emailed to email@example.com and include:
- A write-up summarizing the bug, the steps needed to reproduce it, its impact to Pocket Network, and (optionally) any recommendations to resolve the issue.
- The CVSS v3.1 vector. This can be found on the National Vulnerability Database’s Calculator. An example of this would be AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H.
- A proof of concept, including all code needed to reproduce, with detailed instructions of how to do so.
The maximum total payout is then determined by the CVSS v3.1 score.
These payouts represent the maximum amount for a confirmed vulnerability. To receive the full amount, a report will be expected to provide the following.
- Well written submissions that are able to describe the issue and impact to a non-technical audience.
- A well documented proof of concept that allows for easy reproduction of the issue.
- Clear and actionable steps that can be taken to resolve the issue.
Amounts will be paid in POKT using the price at ~9:00am US-EST on the day of disbursement.
Only vulnerabilities affecting the following repositories will be eligible for payment rewards:
The Foundation vs. The Corporation: Distinguishing Between Bounty Programs
For those who are unaware, there are two legally registered entities that use the name Pocket Network, colloquially. There is Pocket Network Foundation (PNF), a Cayman Islands entity that executes the will of the Pocket DAO, amongst other functions. Then there is Pocket Network Incorporated (PNI), a USA entity that is building out core tooling (Portal, Wallet, Explorer, etc.), including funding the current development of the Protocol. The Foundation, Corporation, and DAO each have their own treasuries.
As the DAO does not currently have a bug bounty program, they will use the definitions in this bug bounty program until they establish their own, which we highly encourage the community to do via the Governance Forum. Once established, the DAO’s bounty program can cover recompense for any Pocket Network software that the DAO wishes to incentivize disclosures for, including additive to PNI bug bounties. The DAO’s bounty program would govern the use of DAO treasury funds, but cannot compel PNI to make bounty payments outside of the scope of PNI’s bug bounty program described in this article.
PNF may also choose to define its own bug bounty program independently of PNI and the DAO. Until PNF has its own bug bounty program, PNI’s bug bounty program will cover PNF-hosted software. Later this year, we will shuffle the projects living on PNF’s GitHub Organization and PNI’s GitHub Organization to help clarify the distinction between which software is owned by each entity, and thus which software the respective bug bounty programs would apply to.
We have a bug bounty program that pays up to $10k in POKT. The bounty will be valid for all open source projects owned by both Pocket Network Incorporated and Pocket Network Foundation, until PNF defines its own bug bounty program. We also encourage members of the Pocket DAO to define their own bug bounty program if they wish to further incentivize white hats.