We’re offering financial rewards to members of our community for identifying and reporting valid vulnerabilities and exploits of the 2key network. One of the foundations of decentralised security is community-driven auditing, so we want to encourage you to identify bugs, penetration vectors, financial attack vectors and other issues which may destabilise the network and its functioning.
So here are the scope and rules of the game for our bug bounty program:
During the pre-production stage, submitted bug reports will be published in a public Trello board, open to the 2key community. The community will be able to monitor 2key team’s handling of the reported issues.
After the 2key network goes live we might hide the Trello board so that malicious actors don’t take advantage of exploits reported by the community.
We’re committed to implementing a fix within 90 days of the report. So if you’ve identified an issue, please allow us this time to push the fix before publicly publishing it to help secure other members of the 2key community from potential attacks.
Rewards for reporting bugs will be in 2KEY tokens.
The amount of the reward will correspond to the severity of the issue reported. Once you fill out the form, your issue will land in our bounties Trello board, and our dev team will assign a severity to your issue:
The assessment team will follow the OWASP risk rating model based on Impact and Likelihood of the reported issue:
The amount of 2KEY reward given per report will depend on the following factors:
Here are approximate amounts of the maximal 2KEY reward (in USD) that will be given per issue severity:
Specifically, we encourage you to find issues with the following characteristics:
Please make sure to report issues which are in line with the existing spec on ropsten.app.2key.network (our staging env). As future specs are continuously being developed and deployed, we will review issues in the context of the current expected behaviour on staging.
The current reserved bug bounty pool is 1,000,000 (1M) 2KEY tokens. At pre-sell this are approximately worth 60,000 USD*
*We reserve the right to enlarge this pool, as well as change the reward amounts, without prior notice.
While the bounty Trello board is public, a reporter will be eligible for a reward if she’s the first one to discover an issue.
Once the board goes private, a reporter will be eligible for a reward if she’s one of the first 5 people to report an issue, within 5 days of the first report. In such cases, the reward will be evenly divided between all eligible reporters (up to 5).
In general, the following will not meet the threshold for bug-bounty eligibility: