Security & Bug Bounty

Developers may now assist core developers in finding and mitigating security and bug issues for rewards in Dragon tokens!

The Security and Bug Bounty Program is a discretionary rewards program for the Dragonchain community to encourage and reward those willing to help improve the platform. We welcome feedback in the information collected in the report, the process, and award determination criteria.

Rewards

Our rewards are based on the impact of a reported bug or vulnerability. Please note these are general guidelines and examples, and reward decisions are at the discretion of the Dragonchain Security and Bug Bounty Team.

Maximum severity bugs - minimum $500

Types of impacts that Dragonchain would consider to be critical include:

  • Root access vulnerability
  • Vulnerability that allows a user to access another user’s data
  • Vulnerability that can take down nodes or subsystems

Medium range severity bugs - minimum $100:

Types of impacts that Dragonchain would consider to be medium include:

  • Vulnerability to billing manipulation
  • Vulnerability that allows a user to participate in Dragon Net without paying for verifications

Low range severity bugs - minimum $50:

Types of impacts that Dragonchain would consider to be low include:

  • Vulnerability found in applications that allow access to another user’s metadata
  • Vulnerability that allows spoofing of verification data
  • Local node bugs that affect usability or intended configuration

Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Dragonchain Security and Bug bounty panel.

Guidelines

Please read the following bullets before beginning:

  • Issues already submitted by another user or already known to the Dragonchain team are not eligible for bounty rewards
  • A vulnerability disclosed publicly is ineligible for a bounty reward
  • Dragonchain’s core development team, employees and all other people paid by the Dragonchain project, directly or indirectly, are not eligible for rewards
  • Dragonchain websites and Dragonchain Foundation are NOT part of the bounty program
  • Dragonchain bounty program considers a number of variables in determining an award. Determination of eligibility, severity, and all terms related to an award are at the sole and final discretion of the Dragonchain Foundation Security and Bug bounty panel

Requirements

A bug or security report must follow the process to be considered for award:

  1. Complete the Dragonchain Bug and Security Report Form
  2. If unable for any reason to submit via the official form, please contact us directly (DO NOT post your report directly in these channels):
    undefinedundefinedundefined
  3. DO NOT report your issue or bug anywhere publicly

Award Size Decisioning

In addition to Severity, other variables are considered when the Dragonchain Foundation Security and Bug bounty panel decides the award including (but not limited to):

  • Quality of description. Higher rewards are paid for clear, well-written submissions.
  • Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward. Please see the wiki and repositories to learn more about our test suite in the official documentation.
  • Quality of provided fix, if included. Higher rewards may be paid for submissions with a clear and workable description of how to fix the issue.
  • Quality of general communication. Higher rewards may be paid to reporters that respond to team requests for further information about the issue or the report.

Important Legal Information

The Security and Bug bounty program is a discretionary rewards program for the Dragonchain community to encourage and reward those who are helping to improve the platform. It is not a competition.

  • We may cancel this program at any time
  • Awards are made at the sole discretion of the Dragonchain Security and Bug bounty panel
  • Participants are responsible for all tax compliance and reporting
  • All awards are subject to applicable laws in your jurisdiction
  • Your report and testing must not violate any law or compromise any data not your own
  • All awards are paid in DRGN based upon market price as reported in CoinGecko at time of payment.

We will not issue awards to individuals on US sanctions lists or in countries on sanctions lists (e.g. North Korea, Iran, etc) - see US Department of the Treasury Office of Foreign Assets Control (OFAC) sanctions lists.

Reference

FAQ

What should a good vulnerability submission look like?

  • It will have a reasonable complete and understandable description
  • It will describe one or more potential impacts to the system or its users.
  • It will describe the conditions necessary to repeat the issue.
  • It will list components or services involved, including version and other necessary information.
  • It will offer reasonably detailed list of steps for reproduction of the issue.
  • It will optionally include files to aid in the reproduction or documentation (e.g. screenshots, configuration files, data files, output files, etc.).
  • It will optionally offer a proposal(s) to address or fix the issue. This could be a design proposal or include actual fix(es) to software code.

Ready to file a report?

Help improve the Drqagonchain platform and get rewarded.