Rules & Rewards

The rules of our bug bounty program are the same that apply to the Ethereum protocol: https://bounty.ethereum.org

Issues that have already been submitted by another user or are already known to the Request Network team are not eligible for bounty rewards.

Public disclosure of a vulnerability makes it ineligible for a bounty.

The Request Network core development team, employees, and all other people paid by the Request Network Foundation, directly or indirectly, are not eligible for rewards.

The Request Network bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to rewards are at the sole and final discretion of the Request Network Foundation bug bounty panel.

The value of rewards paid out will vary depending on severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood :

Reward sizes are guided by the rules below, but are ultimately determined at the sole discretion of the Request Network Foundation bug bounty panel.

Critical: up to $20 000

High: up to $15 000

Medium: up to $10 000

Low: up to $2 000

Note: up to $500

All bounty will be paid in ether.

Contract Description

There are eight separate smart contracts that qualify for this bug bounty program. A short summary of each smart contract is stated below. Please visit our Wiki for more information.

Base contract for the administration of Core. Handles whitelisting of currency contracts.

A contract to burn ERC20 tokens from ETH. Sends the ETH in the contract to Kyber for conversion to ERC20. Then the converted ERC20 token(s) are burned.

The Core is the main contract which stores all the requests.

The Core philosophy is to be as flexible as possible to adapt to any new system in the future.

All important conditions and important parts of the business logic takes place in the currency contracts.

Requests can only be created in the currency contracts.

Currency contracts have to be allowed by the Core and respect the business logic.

Request Network will develop one contract per currency and anyone can create their own currency contract.

RequestEthereumCollect is a contract managing fees for the ethereum currency contract.

RequestEthereum is the currency contract managing the request in Ethereum

The contract can be paused. In this case, nobody can create Requests anymore but people can still interact with them or withdraw funds.

Requests can be created by the Payee with createRequestAsPayee(), by the payer with createRequestAsPayer() or by the payer from a request signed off-chain by the payee with broadcastSignedRequestAsPayer()

SafeMath adapted for int256.

Math operations with safety checks that throw on error.

SafeMath adapted for uint8.

Math operations with safety checks that throw on error.

SafeMath adapted for uint96.

Math operations with safety checks that throw on error.