Bug Bounty, development updates, and next steps

Development Update — 24th December

Bug Bounty

Moving forward, the bug bounty program scope and rewards will grow and continue to be actively updated as we extend and expand the Tangram network, hit important development milestones, and ship new features into the wild. As the network evolves, so will the bug bounties. The scope of the bug bounty program will be progressively updated to include more of Tangram’s code, and also specific files, vulnerabilities, and areas which may need to be focused on.

Vulnerabilities which may be eligible for the bug bounty include; memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service (DDoS) issues, lost write bugs, payloads/transactions, and other creative bugs and vulnerabilities.

There is no maximum bug bounty reward, but we will reward creative or severe bugs appropriately. The Tangram team will evaluate each report, and rate the severity of each bug submitted. Depending on the severity of a bug and the quality of report, we may choose to reward a lower-tier bug at a higher-tier level or vice versa.

If we receive duplicate bug reports, the bounty will be awarded chronologically (the first person to report the issue).

Any valid vulnerabilities reported to this program will be disclosed publicly after the issue has been resolved.

In scope

github.com/tangramproject/Tangram.Vector

github.com/tangramproject/Cypher

Server or Client: RCE-type of vulnerabilities Cryptographic flaws which would break the underlying protocol confidentiality.

For up to date details, please check the following link periodically:

Out of scope:

Network assessment reports and other assessment generated and “Advisory” or “informational” reports that do not include any Tangram-specific testing and / or context are ineligible for rewards.

Additionally, vulnerabilities which rely on social engineering are ineligible for reward.

Reporting a bug

To report a security vulnerability through an encrypted channel, please email or contact any of the core developers so that they can verify and exchange public keys with you.

Report guidelines

A complete report includes:

A detailed description of the issues being reported ( Please be succinct) ;

; Any prerequisites and steps to get the network and / or system to an impacted state;

A reasonably reliable exploit for the issue being reported;

Enough information to be able to reasonably reproduce the issue.

Submit questions, report a bug and fixes to bugs:

dev@getsneak.com

The reward for a vulnerability will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood (see below):

OWASP Risk Rating Model

Reward sizes are guided by the below, but are determined at the sole discretion of the Tangram vulnerability panel and as mentioned above are not capped.

Critical : up to 10 000 TGM (not capped)

: up to 10 000 TGM (not capped) High : up to 5000 TGM

: up to 5000 TGM Medium : up to 2000 TGM

: up to 2000 TGM Low : up to 1000 TGM

: up to 1000 TGM Note: up to 500 TGM

Important Information

The bug bounty program currently has very limited bounty scope, and DOES NOT as of yet span end-to-end soundness of protocols (such as the blockchain consensus model and p2p protocols, etc), these will come into play once the network is production ready. The program currently includes classical client security as well as security of cryptographic primitives. When in doubt, please check by sending an email to dev@getsneak.org.

Tangram’s core team and community managers are ineligible to submit any vulnerabilities.

The Tangram bug bounty program is an experimental and discretionary program for our active Tangram community members to encourage and reward those who help to improve the Tangram network. We may cancel the bug bounty program at any time, and as stated, rewards are at the sole discretion of Tangram. Finally, your testing must not violate any law national, international, or otherwise, and must not compromise any data that is not yours.

We are planning and looking to further extend the existing bug bounty in the near future and include further incentives not only to support in identifying security and vulnerability issues but also to enable developers and others to support and grow the Tangram code-base. These include:

Non-core tasks; Squashing bugs; Identifying core challenges; Building out existing already implemented features; … and who knows what else …

See some of the updates in the past weeks which in the future will be part of the requests for support!