Overview

We have upped our bug bounty by a factor of 2 as we have added in some recent changes for our white list process. You can see our original bug bounty post here.

Our token sale smart contracts were written and audited by DAppHub, but modified slightly in light of changes to do with our whitelist process.

Major bugs will be rewarded up to $20,000 (in ETH). Higher rewards are possible (up to $40,000 in ETH) in case of very severe vulnerabilities.

Most of the rules on https://bounty.ethereum.org apply:

First come, first serve.

Issues that have already been submitted by another user or are already known to the Aventus team are not eligible for bounty rewards.

Public disclosure of a vulnerability makes it ineligible for a bounty.

Anyone who was a paid auditor of this code is not eligible for rewards.

Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Aventus team.

Scope

All smart contracts relating to the token sale commencing July 17th, 2017. This includes:

The Aventus token contract

The token sale contract

The whitelist contract

Gnosis’ multisig wallet

All contracts are within: https://github.com/AventusSystems/token-sale.

Timeline

As of this post, the bug bounty program is considered started and valid reports of bugs will be compensated moving forward. The bounty program will continue even after the token launch.

Compensation

The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood, as done in the Ethereum bug bounty campaign:

Note: Up to 200 in ETH/BTC

Low: Up to $4,000 in ETH/BTC

Medium: Up to $10,000 in ETH/BTC

High: Up to $20,000 in ETH/BTC

Critical: Up to $40,000 in ETH/BTC

Example: If you find a way to steal raised funds, this is a critical bug. If you find a way to mint AVT, this is high priority.

The submission’s quality will factor into the level of compensation. A high quality submission consists of:

An explanation of how the bug can be reproduced

A failing test case

A fix that makes the test case pass.

High quality submissions may be awarded amounts higher than the amounts specified above.

Note: all AVT will be distributed after the token sale, ending 13th September 2017. It will be unlocked and ready to spend as soon as the token sale ends.

We request that you please give us reasonable amount of time to reply to your inquiry, and that you do not exploit any vulnerability you discover.

Contact

For any questions, please join the Aventus Slack and join the #security_bounty channel.

For submissions, please send to security@aventus.io. We also welcome anonymous submissions.