Bitcoin Satoshi Vision (BSV) was created to restore the original Satoshi protocol, keep it stable, and enable it to massively scale. Unlike other Bitcoin projects, only Bitcoin SV has the plan for a stable protocol and plan for massive on-chain scaling to become the world’s new money and the global public blockchain for enterprise.
The bug bounty program is focused around the code base for BSV and spans end-to-end, ranging from the soundness of protocols (blockchain consensus model, the wire and p2p protocols, proof of work, etc.), protocol implementation, and compliance to network security and consensus integrity.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability with the following categorization:
- Critical – Catastrophic impact on the network as a whole; network availability compromised; loss of funds
- High – Impacts individual nodes; individual node crashes; potential for a loss of funds
- Medium – Not easily exploitable; medium impact; no loss of funds
- Low – Not easily exploitable; low impact
The level of exploitability is determined by the Bitcoin Association for BSV.
A proof of concept is not required but is recommended to allow faster processing of the bug report. This proof of concept should be code.
Payouts are handled by the [Bitcoin Association for BSV](https://bitcoinassociation.net) directly and are denominated in USD. However, payouts are done in BSV.
, , ,
Assets in Scope
Not all of [https://github.com/bitcoin-sv/bitcoin-sv](https://github.com/bitcoin-sv/bitcoin-sv) is considered in-scope of the bug bounty program.
Please note the following details with regards to what is in-scope and what is out-of-scope:
Branches in scope:
most recently updated branch with prefix: rc-*
branches prefixed with: review-*
Branches out of scope:
branches prefixed with: dev-*, exp-* or research-*
branches suffixed with: *-beta
all other branches not specified as in scope
If you believe that your bug report that covers a branch in scope is critical and wish to use a secure method of communication, please see our PGP key at the bottom.
The scope is further limited to those Operating Systems & hardware platforms for which binaries are released by the Bitcoin SV Node implementation team. Any external code in the GitHub link is out-of-scope.
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
– Network availability compromised
– Loss of user funds (potential loses of funds are downgraded)
– Nodes shut down or crashes
– Resource exhaustion attack
“Resource exhaustion attack” is defined as an exploit designed to consume large amounts of CPU, memory, bandwidth, or storage resources whether by normal operation of the Bitcoin SV protocol or by intentionally crafting blocks or transactions with unusual behavioural characteristics. Resource exhaustion attacks, as defined, are generally out of scope for the bug bounty program.However, we acknowledge that there is value in documenting all possible attack vectors and will consider disclosures of such attacks for rewards in the “low” category and in exceptional cases in the “medium” category. Awarding of bounties in this category are subject to the following conditions:
– The award is completely discretionary
– The attack must not be previously known to us
– The attack must be demonstrably executable on a version of the software that would otherwise be deemed in scope if not for the resource exhaustion attack exclusion
See above: Impacts in Scope
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
– Attacks that the reporter has already exploited themselves, leading to damage
– Attacks that rely on social engineering
– Attacks requiring access to leaked keys/credentials
– Basic economic governance attacks (e.g. 51% attack)
– Best practice critiques
– Sybil attacks
– Findings from physical testing such as office access (e.g. open doors, tailgating)
– UI bugs and spelling mistakes on this or any associated website
– Network level Denial of Service (DoS/DDoS) vulnerabilities
– Resource exhaustion attacks not satisfying all 3 conditions above
The following activities are prohibited by this bug bounty program:
– Violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
– Public disclosure of an unpatched vulnerability in an embargoed bounty*
– Interacting with anything other than test accounts you own or with explicit permission from the account holder.
– Any testing with mainnet or public testnet; all testing should be done on private testnets
– Attempting phishing or other social engineering attacks against our employees and/or customers
– Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
– Any denial of service attacks
– Automated testing of services that generates significant amounts of traffic
– Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode
If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), or proprietary information.
*An embargo period is a fixed period of time from when a bug is reported to when a bug reporter can publicly disclose it. Bug reporters must not publicly discuss or disclose the presence or details of a bug during the embargo period. Once the embargo period is over bug reporters will be free to publicly discuss and disclose the details of the bug they’ve found and any proof-of-concept exploits that they may have written to validate the bug, with the exception of reports related to resource exhaustion attacks.
Please note, we do not want to receive any sensitive data during any disclosure, such as personally identifiable information (PII) or any data associated with private/public keys.
__Bitcoin SV Security Team PGP Key__
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: SKS 1.1.6
—–END PGP PUBLIC KEY BLOCK—–