We offer financial rewards to our community members for identifying and reporting valid vulnerabilities and exploits on the 2key network. One of the foundations of decentralized security is community-driven auditing. We encourage you to identify bugs, penetration vectors, financial attack vectors, and other issues that may destabilize the network and its functioning.
So here are the scope and rules of the game for our bug bounty program:
To report a potential bug, please fill out the form below with detailed and comprehensive information.
We review and prioritize the reported bugs and implement fixes within 90 days. So if you reported an issue, allow us this time to push the fix before publicly publishing it.
Rewards for reporting bugs will be in 2KEY tokens.
The reward‘s amount is proportional to the severity of the issue reported. Once you send the completed form, our dev team assigns a severity score to your issue and given priority.
The assessment team will follow the OWASP risk rating model based on Impact and Likelihood of the reported issue:
The amount of 2KEY reward given per report will depend on the following factors:
Here are the approximate maximum amounts of 2KEY reward (in USD value) that will be given by declining order of issue severity:
We encourage you to uncover issues with the following characteristics:
Please make sure to report issues that appear on 2key.io and the related Main-Net environment, and check whether they are already fixed or addressed on our testing environment (test.2key.io).
As future specs are continuously developed and deployed, we will review issues in the context of the current expected behavior on main-net, excluding issues already being fixed to be launched on staging (test.2key.io).
The Bug Bounty program started with 1,000,000 (1M) 2KEY tokens budget on Nov 2019.
*We reserve the right to enlarge this pool or modify the reward amounts without prior notice.
The first reporter bringing attention to a valid issue is always eligible for a reward. Occasionally, 2key might elect to give rewards to the first few people signaling the same issue within 7-14 days of the first report.
In general, the following will not meet the threshold for bug-bounty eligibility: