With our start time for the v0.1 contribution period less than a week away and the security audits close behind us (thanks to Ahmad Ali, Adam Dossa, and especially Jordi Baylina whose excellent writeup can be found here), we’re moving into the final phase of securing our district0x Network Token Smart Contracts.

We’re introducing a bug bounty program covering all district0x Network Token smart contracts, with bounties of up to $20,000 (paid in ETH) for the most severe vulnerabilities found. You can submit your findings to the issue board https://github.com/district0x/district0x-network-token/issues.

When:

The bug bounty program starts as soon as this post is live, and all future reports will be reviewed and compensated if necessary as per the terms below. The bounty period will conclude when the contribution period closes (more details on those conditions here).

Rules:

Duplicate issues will not be eligible for bounties. All reports are scored on a first-come first-serve basis.

district0x team members, auditors, and any other party paid by the district0x are not eligible for bounties.

High quality reports including steps for reproduction as well as a vulnerability fix and a working test that demonstrates the failing and passing case will be awarded larger bounties.

Reports are determined for eligibility, scored, and awarded at the sole and final discretion of the district0x team.

Any reports which do not follow our responsible disclosure policy outlined below will be subject to disqualification.

Responsible Disclosure Policy

In order to protect our network and participants from malicious entries in this program, we ask the following:

No vulnerability found at any time is exploited for any reason, including demonstrations of the vulnerability for the purposes of the report.

You protect the privacy, data, and service integrity of other individuals and services with best efforts every step of the way.

Any critical or high severity (as defined below) vulnerabilities reported whilst district0x Network Token Smart Contracts are live are done so in private, giving us a reasonable amount of time to examine and correct the issue before this information is brought to the public or shared with any third party.

Failure to comply with this disclosure policy may result in a formal law enforcement investigation launched against you.

Compensation:

We will follow the recent trend in the community and utilize the OWASP risk assessment methodology to score the issue’s severity.

A rough outline for awarded amounts (all paid in equivalent ETH) for each severity class are as follows:

Critical: Up to $20,000 bounty. A critical bug is defined as an attacker being able to obtain district0x Network Tokens not proportional with their contribution, or able to obtain any amount of the raised ETH.

High: Up to $5,000 bounty. A high severity bug is defined as an attacker being able to deny or interrupt other user’s participation in the contribution period. This does NOT include flooding the Ethereum Network with transactions.

include flooding the Ethereum Network with transactions. Medium, Low, and Note: We encourage submissions of these severity classes, however, we have no bounty structure promised for these at this time.

As stated in the rules section, additional metrics above and beyond Severity are used to determine the final compensation amount. These include the quality of description, quality of reproducibility, and quality of fix. The absence of any of these will result in a lesser bounty paid regardless of severity class. You can find examples and definitions of these on the Ethereum Foundation Bounty Program.

Participate:

To submit a bug for a potential bounty, please post a new issue to for review. If you’d like an example write-up done for district0x, please check out Jordi’s recent post regarding his audit of the Contribution Period contracts.

All questions are welcome. Let the bug hunt begin!