The last few weeks have been busy with development by the Core team. IRI went up on Github and we started the refactoring; the JS Library was fully completed; the GUI Wallet is finished and ready for use; and the Python / C# / Java / C Libraries and tools are under active development.

As it is with software developments: bugs occur. Fixing them is most of the time done fairly quickly, but finding them takes up more effort. But apart from that, we want to provide a direct incentive for people (especially developers) to dig into the code and thoroughly test the tools, libraries and software that we have provided for the community.

Because of this, we at the IOTA Foundation have decided to host the very first public bug bounty program for the next 1 and a half months (45 days). What this basically means is that if you successfully report bugs to any of the listed Github repositories below, you will get paid in IOTA. For newcomers, this should be a wonderful opportunity to earn your first IOTA tokens; for veterans in the community, it is a great way to increase your stack.

So lets get into more details.

Classification of bugs and bounties

In total, the bounty payments range between $25 — $400. Obviously not every bug is the same as the other. That’s why we have different classifications for bugs and how well they pay. To keep things simple, we summarized the bounty program into the following three categories:

Minor. Minor bugs are the ones mostly caused by (neglect) from the developer. This is for example using non-instantiated variables (or wrong variable altogether), returning the wrong results and so on. Because they are relatively simple to fix, minor bugs pay between $10 — $100 .

Minor bugs are the ones mostly caused by (neglect) from the developer. This is for example using non-instantiated variables (or wrong variable altogether), returning the wrong results and so on. Because they are relatively simple to fix, . Medium . Bugs that break the logic, but do not cause any serious problems (in terms of unexpected behavior). For example a non-functional API call in Core, or a library function that (unexpectedly) returns pre-execution can be classified as Medium. Medium bugs pay between $100 — $250 .

. Bugs that break the logic, but do not cause any serious problems (in terms of unexpected behavior). For example a non-functional API call in Core, or a library function that (unexpectedly) returns pre-execution can be classified as Medium. . Critical. Critical bugs are the ones that cause unexpected behavior which could even lead to losses (i.e. IOTA’s or transactions being lost) or a non-functional client. Critical bugs are mostly more subtle, and as such are more difficult to find. For example race conditions or any Curl implementation (our trinary hashing function) related bugs fall under this category. Critical bugs pay $250 — $400, depending on the severity.

It should be noted that these bugs are not related to the IOTA protocol itself, which includes Curl and its logic. For these we will host a much larger bug bounty soon and generally pay between $5k — $30k, depending on the severity (especially anything related to Curl).