2key Bug Bounty Program

Bug Bounty Program

We’re offering financial rewards to members of our community for identifying and reporting valid vulnerabilities and exploits of the 2key network. One of the foundations of decentralised security is community-driven auditing, so we want to encourage you to identify bugs, penetration vectors, financial attack vectors and other issues which may destabilise the network and its functioning.

So here are  the scope and rules of the game for our  bug bounty program:

How it Works

During the pre-production stage, submitted bug reports will be published in a public Trello board, open to the 2key community. The community will be able to monitor 2key team’s handling of the reported issues.

After the 2key network goes live: we reserve the right to hide the Trello board so that malicious actors don’t take advantage of exploits reported by the community.

We’re committed to implementing a fix within 90 days of the report. So if you’ve identified an issue, please allow us this time to push the fix before publicly publishing it to help secure other members of the 2key community from potential attacks.

Rewards

Rewards for reporting bugs will be in 2KEY tokens.

The amount of the reward will correspond to the severity of the issue reported. Once you fill out the form, your issue will land in our bounties Trello board, and our dev team will assign a severity to your issue:

  • If the issue is found to be a non-issue, the card will be moved to a dedicated non-issue list.
  • If the issue is relevant, it will be moved to TODO list and given priority according to the decision of the 2key assessment team.

The assessment team will follow the OWASP risk rating model based on Impact and Likelihood of the reported issue:

The amount of 2KEY reward given per report will depend on the following factors:

  • Report demonstrates how the issue may be exploited to maximum effect
  • Severity of the issue
  • Complexity in solving the issue
  • Report also includes pull request for a valid fix of the issue

Here are approximate amounts of the maximal 2KEY reward (in USD) that will be given per issue severity:

  • Critical: up to 5000 USD
  • High: up to 1,000 USD
  • Medium: up to 500 USD
  • Low: up to 100 USD

Specifically, we encourage you to find issues with the following characteristics:

  • Contracts logic flaws / security issues / financial breaches
  • Contracts possible exploits and vulnerabilities - both architecture and implementation
  • Contracts upgradability and versions schema attack vectors
  • 2key protocol: bugs, vulnerabilities, exploits, security breaches, cryptography errors
  • API: exploits, data breaches, data leakages, permissions breaches, wrong behavior.
  • Dapp: crashes, stalls, funnel blocks, usability errors etc..
  • Game Theory attack vectors, collusion network vectors etc.. which may be carried out on existing product.

Please make sure to report issues which are in line with the existing spec on ropsten.app.2key.network (our staging env). As future specs are continuously being developed and deployed, we will review issues in the context of the current expected behaviour on staging.

The current reserved bug bounty pool is 1,000,000 (1M) 2KEY tokens. At pre-sell this are approximately worth 95,000 USD*

*We reserve the right to enlarge this pool, as well as change the reward amounts, without prior notice.

Eligibility

While the bounty Trello board is public, a reporter will be eligible for a reward if she’s the first one to discover an issue.
Once the board goes private, a reporter will be eligible for a reward if she’s one of the first 5 people to report an issue, within 5 days of the first report. In such cases, the reward will be evenly divided between all eligible reporters (up to 5).

In general, the following will not meet the threshold for bug-bounty eligibility:

  • Issues on test environment which have just been deployed and are work-in-progress by the 2key devs
  • Any issues on 3rd party sites/apps unless they are directly linked to an exploit or bug specific to 2key
  • Issues depending or arising from physical attacks, issues which are game theoretic and are known and on the roadmap to be addressed later
  • Issues affecting outdated or unpatched browsers
  • Issues that have not been responsibly investigated and reported
  • Issues that are already known to the 2key team
  • Issues that cannot be reproduced
  • Issues that we cannot be reasonably expected to handle.

Scope

  • App: ropsten.app.2key.network
  • API: ropsten.api.2key.network
  • Contracts: staging deployed version - github.com/2key/contracts → tag as taken from get2keyProtocolVersion. (run this command on the console from within the 2key staging app)

Process

Report a Bug