2key Bug Bounty Program

Bug Bounty Program

We offer financial rewards to our community members for identifying and reporting valid vulnerabilities and exploits on the 2key network. One of the foundations of decentralized security is community-driven auditing. We encourage you to identify bugs, penetration vectors, financial attack vectors, and other issues that may destabilize the network and its functioning.

So here are the scope and rules of the game for our bug bounty program:

How it Works

To report a potential bug, please fill out the form below with detailed and comprehensive information.
We review and prioritize the reported bugs and implement fixes within 90 days. So if you reported an issue, allow us this time to push the fix before publicly publishing it.

Rewards

Rewards for reporting bugs will be in 2KEY tokens.
‍
The reward‘s amount is proportional to the severity of the issue reported. Once you send the completed form, our dev team assigns a severity score to your issue and given priority.

The assessment team will follow the OWASP risk rating model based on Impact and Likelihood of the reported issue:

The amount of 2KEY reward given per report will depend on the following factors:

• Demonstration of how the issue may be exploited to maximum effect
• Severity of the issue
• Complexity in solving the issue
• Reproducibility of the issue
• Includes a pull request for a valid fix of the issue

Here are the approximate maximum amounts of 2KEY reward (in USD value) that will be given by declining order of issue severity:

• Critical: up to 5000 USD
• High: up to 1,000 USD
• Medium: up to 500 USD
• Low: up to 100 USD

We encourage you to uncover issues with the following characteristics:

• Contracts - logic flaws / security issues / financial breaches
• Contracts - possible exploits and vulnerabilities - both architecture and implementation
• Contracts - upgradability and versions schema attack vectors
• 2key protocol - bugs, vulnerabilities, exploits, security breaches, cryptography errors
• API - exploits, data breaches, data leakages, permissions breaches, wrong behavior.
• Dapp -crashes, stalls, funnel blocks, usability errors etc..
• Game Theory - attack vectors, collusion network vectors etc.. which may be carried out on existing product.

Please make sure to report issues that appear on 2key.io and the related Main-Net environment, and check whether they are already fixed or addressed on our testing environment (test.2key.io).
As future specs are continuously developed and deployed, we will review issues in the context of the current expected behavior on main-net, excluding issues already being fixed to be launched on staging (test.2key.io).

The Bug Bounty program started with 1,000,000 (1M) 2KEY tokens budget on Nov 2019.

*We reserve the right to enlarge this pool or modify the reward amounts without prior notice.

Eligibility

The first reporter bringing attention to a valid issue is always eligible for a reward. Occasionally, 2key might elect to give rewards to the first few people signaling the same issue within 7-14 days of the first report.

‍In general, the following will not meet the threshold for bug-bounty eligibility:

• Issues on a test environment that have just been deployed and are work-in-progress by the 2key devs
• Any issues on 3rd party sites/apps unless they are directly linked to an exploit or bug specific to 2key
• Issues depending or arising from physical attacks 
• Game-theoretic issues 
• Known Issues
• Issues affecting outdated or unpatched browsers
• Issues that have not been thoroughly investigated and comprehensively reported
• Issues that cannot be reproduced
  ‍
  We ask and encourage the community to report any bugs to us even if it's not eligible for a reward. A better 2key network is a win for all of us :)

Scope

• App: https://2key.io
• API: api.2key.network
• Contracts: master deployed version - github.com/2key/contracts → tag as taken from get2keyProtocolVersion(). Run this command on the console from within the 2key staging app.

Process

• Create a 2key account at 2key.io
  
• Click the “Report a bug” button below
  
• Fill the form
• If the bug is valid, you will receive a response from us by email within 90 days