Formalizing a Bug Bounty Program

There should be formal bug bounty program to encourage security researchers to audit Serum programs and to also set expectations for the amount awarded. Here’s a proposal originally written by skynet (with some minor modifications).

Project Serum Bug Bounty

Overview

Project Serum is now offering a Bug Bounty program for security researchers that discover vulnerabilities or exploits in Project Serum’s Solana programs.

Security vulnerabilities or other high-severity vulnerabilites that are successfully reported following the terms of the Bug Bounty program can be eligible for a reward of up to $1,000,000 , depending on severity and paid in SRM.

Terms

  • The vulnerability:
    1. Must be first reported to Project Serum exclusively.
    2. Must not be publicly shared before report to Project Serum.
    3. Must not be publicly shared during Project Serum’s investigation and fix.
    4. Must be reproducible by Project Serum.
    5. Should only be publicly disclosed if agreed upon after bug resolution.
  • You must be the first person to report this vulnerability.
  • You must not maliciously exploit the vulnerability in any way after discovery.
  • You must not be subject to United States sanctions or live in any U.S.-embargoed country.

Rewards

A reward of up to $1,000,000 will be granted based on the severity of the vulnerability disclosed. The evaluation of severity is made at the discretion of the Project Serum DAO. The reward will be paid out in a USD equivalent of SRM.

You will receive a reward higher on the scale depending on how detailed the report is. Please include details such as:

  • Conditions to reproduce
  • Proof-of-Concept
  • Example code
  • Implications of the vulnerability

Disclosure

Disclaimer

  • Terms of the Bug Bounty program can be changed at any time at the discretion of the Project Serum DAO.
1 Like

Clarification. I think that this program should only apply to vulnerabilities found in live smart contracts. This would exclude deprecated code no longer used or code provided for educational purposes. It would also exclude bugs found in Anchor and other frameworks, which I think should run a separate program.