Program Overview
Bitcoin Satoshi Vision (BSV) was created to restore the original Satoshi protocol, keep it stable, and enable it to massively scale. Unlike other Bitcoin projects, only Bitcoin SV has the plan for a stable protocol and plan for massive on-chain scaling to become the world’s new money and the global public blockchain for enterprise.
The bug bounty program is focused around the code base for BSV and spans end-to-end, ranging from the soundness of protocols (blockchain consensus model, the wire and p2p protocols, proof of work, etc.), protocol implementation, and compliance to network security and consensus integrity.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability with the following categorization:
- Critical – Catastrophic impact on the network as a whole; network availability compromised; loss of funds
- High – Impacts individual nodes; individual node crashes; potential for a loss of funds
- Medium – Not easily exploitable; medium impact; no loss of funds
- Low – Not easily exploitable; low impact
The level of exploitability is determined by the Bitcoin Association for BSV.
A proof of concept is not required but is recommended to allow faster processing of the bug report. This proof of concept should be code.
Payouts are handled by the [Bitcoin Association for BSV](https://bitcoinassociation.net) directly and are denominated in USD. However, payouts are done in BSV.
, , ,
Level | Payout |
---|---|
Critical | USD $100,000 |
high | USD $50,000 |
medium | USD $10,000 |
low | USD $1,000 |
Assets in Scope
Not all of [https://github.com/bitcoin-sv/bitcoin-sv](https://github.com/bitcoin-sv/bitcoin-sv) is considered in-scope of the bug bounty program.
Please note the following details with regards to what is in-scope and what is out-of-scope:
Branches in scope:
master branch
most recently updated branch with prefix: rc-*
branches prefixed with: review-*
Branches out of scope:
branches prefixed with: dev-*, exp-* or research-*
branches suffixed with: *-beta
all other branches not specified as in scope
If you believe that your bug report that covers a branch in scope is critical and wish to use a secure method of communication, please see our PGP key at the bottom.
The scope is further limited to those Operating Systems & hardware platforms for which binaries are released by the Bitcoin SV Node implementation team. Any external code in the GitHub link is out-of-scope.
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contracts/Blockchain
– Network availability compromised
– Loss of user funds (potential loses of funds are downgraded)
– Nodes shut down or crashes
– Resource exhaustion attack
“Resource exhaustion attack” is defined as an exploit designed to consume large amounts of CPU, memory, bandwidth, or storage resources whether by normal operation of the Bitcoin SV protocol or by intentionally crafting blocks or transactions with unusual behavioural characteristics. Resource exhaustion attacks, as defined, are generally out of scope for the bug bounty program.However, we acknowledge that there is value in documenting all possible attack vectors and will consider disclosures of such attacks for rewards in the “low” category and in exceptional cases in the “medium” category. Awarding of bounties in this category are subject to the following conditions:
– The award is completely discretionary
– The attack must not be previously known to us
– The attack must be demonstrably executable on a version of the software that would otherwise be deemed in scope if not for the resource exhaustion attack exclusion
Priotized Vulnerabilities
See above: Impacts in Scope
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
– Attacks that the reporter has already exploited themselves, leading to damage
– Attacks that rely on social engineering
– Attacks requiring access to leaked keys/credentials
– Basic economic governance attacks (e.g. 51% attack)
– Best practice critiques
– Sybil attacks
– Findings from physical testing such as office access (e.g. open doors, tailgating)
– UI bugs and spelling mistakes on this or any associated website
– Network level Denial of Service (DoS/DDoS) vulnerabilities
– Resource exhaustion attacks not satisfying all 3 conditions above
The following activities are prohibited by this bug bounty program:
– Violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
– Public disclosure of an unpatched vulnerability in an embargoed bounty*
– Interacting with anything other than test accounts you own or with explicit permission from the account holder.
– Any testing with mainnet or public testnet; all testing should be done on private testnets
– Attempting phishing or other social engineering attacks against our employees and/or customers
– Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
– Any denial of service attacks
– Automated testing of services that generates significant amounts of traffic
– Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode
If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), or proprietary information.
*An embargo period is a fixed period of time from when a bug is reported to when a bug reporter can publicly disclose it. Bug reporters must not publicly discuss or disclose the presence or details of a bug during the embargo period. Once the embargo period is over bug reporters will be free to publicly discuss and disclose the details of the bug they’ve found and any proof-of-concept exploits that they may have written to validate the bug, with the exception of reports related to resource exhaustion attacks.
Other Notes
Please note, we do not want to receive any sensitive data during any disclosure, such as personally identifiable information (PII) or any data associated with private/public keys.
__Bitcoin SV Security Team PGP Key__
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: SKS 1.1.6
mQINBFukzJcBEAC6P81ADa4ftaBqS4ABbFCcxCaRju/+z1nF7AbTBmvVZme8vKFj8NgKnKgG
3YxcoiuByAaR9yBMQ3ALTrNbYowjHgbm37Z2MQTfMXPXtSkvMJU2aqp3F+R3QPE6DYfPiTV3
bRvvTCWI2XzKCaJzVjEGqN/hq2BN12zrh6Y9cdCTQ0gwLe07gGdcQn4EyEu4NhRa1umJm/bv
XUCP0dHzFX/43DACgnAZgDSbeyPaRio1XG4BRLgIB2RQ4aL+bqEhCwllY8DRiqMjbPn9iHH3
3EfmimwGzYWyP6gjKEO9wkoFmURosCub/XLbRwgSxy6Cw2UGD9vIY9EGis5ehwaoJf8YZPwY
5umue0zlBK3kN+HXuVPAB2+ug6ZZXIuaxhMG6JmWTozuJAQ8sWGdyQlC3u8kMZ9vPCI6cyTo
UFD7ss8dC50ZGs6XglMoaZDjTOpuG4mhXPfoUhLuZPGhtHVYRYik4P/hslBDIDbNMIywkkf3
JOtxmDAFQivVfV8055/TOIYdGweOKhyqlp2kRN++6skexOSKyZ9+CM+3d+BW4wSmUfrleOUw
n4Ys4qFkBxUfbIa7Y5zhyeAo/qngmMjqomgFI5yQ+jzYHBSeEUqnp1ACY6I6HiqpQYQmpCHn
nQk2MypW456db15Xd0xkd33+1nkioBPMFGBQaj73RwhXH3d0vQARAQABtDBCaXRjb2luIFNW
IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGJpdGNvaW5zdi5pbz6JAlQEEwEIAD4WIQTo65cK
HGB98IIuE4j5aXb9eiCrYgUCW6TMlwIbAwUJAme9KQULCQgHAgYVCgkICwIEFgIDAQIeAQIX
gAAKCRD5aXb9eiCrYqxaD/wN/r0Fwv8Xhkc+gMmXN/SjKl4a8Cp32e9737bzLlMHaXyNVw2V
Ij8/MM45MnIU/BaKi3Em2Ber6p5XaUYy81CmjEgnRfsQ9AqbVHqA6sgjI1iF/LWm86O6ZLF2
6oJENk0s56JDptYuHGxJRGL0Q6z2iY8wOIDx7kwvMitUJqm5tsYX+Ekeci6lfwilbpyUWdqQ
iUh8Gv4P6ckAt3qUwqepFkgPbMpoz0n1WzRzbg+d/lDcDI6BgDjUa4qb93m4epGKprc/ESkw
/zB1LCZw2RBBsTJmnkpe5Q+aldUFUuWHcZ79lm+s30MBnqQ9d8q2wblYUH3crJBgYR1c7v2s
vqHQlB2CnCSq9nwmsadPMYKkBUN8GWSLqw4t8c/0bXcw0Kkl2iwOAIN4KRfO6sM57BfL0pTq
sk+onfnimYNUdFAm0Awxspupq8hZWy2L1K4meW4nB1cvJjBHUi9QGEzfk2gzkAn4VMYhD8UI
B5yKcKK58dp7IVQgRc8djskxTwl1jhe8/Dez/II39yvKPK+hoo5hpq3KxQcJoGktxog4QM9z
EOpJRCfnjJD2ijOCBUiejy3LIwqzH+cAMly0LS0W93UD2pLi1R494kkZ/VnMTZVc4cSz0A2w
UkqWcbGQ/oLkq5Q1ilPS4FCSsJ60/UXSoWGV3ncZ+XnOX43M7D9z0v6SDbkCDQRbpMyXARAA
y9LNLHRWEq4ThTtbNmuItKTMLTYFdDFkKHiexxCyF0jQuMv4bxfx3cCZJ+6ty7DTeSw9oG2K
nYN/d6vyyJ1r0sPAyWODDb6ekqlwsCSiM2DEVy3tQITisWXMg4D0/ys+Q+1bi0MTYve4I6XL
8mKnomgzaeFSBAvYfGQ2Oz5GDZfj8/yNWmInjoSWRZxOpTYgOf6UedJ56ew2aejno+Y4h4Cf
wnBdAWn3FIeFho+MllcSQbMbDBaDX3MGNeE6ZkXV7WD7xLcD39Xn2nS3IVQx9LcEkbRIWzFY
f8Arbi33gtT35jOBpSW3a/xFOoxVt+t7YWHuAYXYL67bh+OpMAr/XowQuV5+ICfXW53CEg7i
VsYEikms7lkEGz89tyCDdYCr8lV3/Ka2cTSirh22Y5rravtYMubZUoCMYHgmrEiA8vQz3wLQ
pG3wnBs4E3PtFk4QIK6VjLdnFWAHY8ULM0XRY98hrZ5LZ8WNCv+0JIbKSS8afasM/HOXFFUw
69HsGbMJo0YmVe8y7sSyLRFwVraafy5NQpjl9Vp+zoiBtt5dD4DPjbqlZqfTpX1EHmMt07vI
1CYUJcJ7PHg8VabK3+4V1Q4HMWbbpAPYRZXXeej7gOcTJDEvCSOzKkreU/DUG+lEJedN+tOD
7PyKGbV/VSjzLGG1U77ZXJqbPdrInPUJzPcAEQEAAYkCPAQYAQgAJhYhBOjrlwocYH3wgi4T
iPlpdv16IKtiBQJbpMyXAhsMBQkCZ70pAAoJEPlpdv16IKtiO+oP/35OA/hZmHZQEqWp5Lty
bV3tzz//zhDfEK4wK52POmnVO/hynsygoH2Ws7GWTrKLkVvevmc0S4+pC8cpahVrI9mpzEJw
9zoFuJjKSmyyDwrxaV/NskU7QI68PKEvNQfqAinMy9pB9q32+B9So87vKdcINaYmInU3B7Ef
YtzE9MZKG18lma4bXgdNFrVkRFJoJTYVd6T86dK7NQnIgA67q1Dp5A+zO/fi8qP6chmpfrcU
ps8bMtL8YiCTzYAaXX+S8v9tVza9U6JxV2902/drkacnVsK1YWzJQgm9vHWjSl7T0x06qqKS
8oSEICufSxJ2PcrKNPsUL4OXgIRJaa/5JpdvK1Dckr9rukZgsctxu3vJW/XhbLYWVs79UrkM
aVjF19Mm3/m3XINjSUL4rqw2CFEydvIN/a/o2OTh++Zcr4a17/u/teBllHAtfiaBayC8PrCf
LHm8AmTq65RQ0S9V8rxVQhpEUumXh+jzbeXPjVs7Y/d0EaKAU6MbR4EWu4JWBm799sLSzXFO
c7ipgGLAx1qCZYmxsFzzB7VsAAA85Qcow9tMHi7JrTLnlU5bb8FA18mmG7T8F9M69Iknwb73
rf8atunC+GiS2/6RRwtTbVfO2LVPxLlqQovSsjCoWgifHH4rg1OCs1T0v7ed0V4eU8p5fzla
7auhB+wyIkulnJbt
=zYLL
—–END PGP PUBLIC KEY BLOCK—–