Cosmos, an interoperable blockchain ecosystem, has increased its incentives for their bug bounty program for the Cosmos Stargate software upgrade. The bug bounty will allow hackers, developers, and the community to trial and debug the upgrades and breaking changes to the Cosmos SDK, Tendermint Core, Gaia, and Inter Blockchain Communication codebases. The special bug bounty program is live and will conclude on December 31, 2020.
Recent changes to the code include a transition from an in-house serialization system to Protocol Buffers (Protobuf), major new Tendermint Core features like state sync, and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These changes are a high priority for the security community to review. Bounty rewards are based on many factors including impact, risk, the likelihood of exploitation, and report quality. The CVSS framework will be used to score all reports in a standardized and fairway. The rewards for bugs will be classified into these categories for payout:
- Critical— $5,000 and up
- High— $3,000 and up
- Medium— $1,000 and up
“We believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols,” Interchain GmbH engineering VP Tess Rinearson said. “Our ongoing testing, and in particular this new program, exists to proactively reward people who discover bugs in our protocols and products.
“The release of the Stargate codebase reifies our commitment to the open-source community, with the goal of bringing Cosmos into a new era. For the first time ever, Cosmos blockchains will be able to connect with each other using a standardized protocol for inter-blockchain communication.”
While there is no maximum program reward, Cosmos core contributors will value creative or severe bugs and reward them accordingly. Examples of vulnerabilities that are of interest include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service vectors, lost write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, and payloads/transactions that cause panics.
Please see here for a quick-start guide to getting Tendermint Core running so you can start hunting for bugs. To work with Cosmos-SDK, start here to learn more about getting it up and running in your testing environment.
The Cosmos Network is a secure and scalable blockchain ecosystem where thousands of decentralized applications interoperate to create the foundation for a new token economy. Currently, more than $6 billion in digital assets have been secured on Cosmos blockchains, more than 8500 Github stars have been created on Cosmos and Tendermint projects, and there are more than 200 projects in the Cosmos Tendermint ecosystem. Please see here for a quick-start guide to getting Tendermint running so you can start hunting for bugs.
For more information visit https://hackerone.com/tendermint.