January 10, 2024
A new bug bounty program!
When we updated our Responsible Disclosure policy last year, we did so with a very limited budget.
Members of the community were very quick to point out that the size of the rewards were not commensurate with the scale of the issues we were asking the community to help us find.
Now that 2024 has rolled in, and we’re in touching distance of the Minotari mainnet launch, we’re able to substantially increase the value of the rewards we’re offering; primarily in the form of Tari tokens.
🎉🎉🎉 Bounties up to $250,000 worth of XTR 🎉🎉🎉
Yes, for all intents and purposes, we’ll pay you a quarter bar in Minotari tokens for consensus-breaking bugs.
There are some Ts & Cs. I’ve highlighted the major ones below, but you can skip all of this and go and read the full, updated Tari Security Policy right away.
We are still offering cash rewards, but the lion’s share of the reward value will be coming from the token bounty allocation.
Get cracking!
Cash bounties
The payouts for cash bounties have actually gotten a slight boost. We have partnered with HackerOne for our new bounty programme, and the payouts are as follows:
| Severity | Maximum bounty | Example of vulnerability |
|---|---|---|
| Critical | $5,000 | Inflation bugs, spending unowned funds, Producing valid blocks without mining |
| High | $2,000 | Double spends, Severe DoS, Forcing hard forks, severe TariScript vulnerabilities, remote access of wallet keys |
| Medium | $750 | Other DoS, other TariScript vulnerabilities |
| Low | $100 | Minor bugs or non-blockchain issues (e.g. on tari.com, explore.tari.com etc.) |
Token-based bounties
If you make use of the HackerOne programme, we may issue a token reward in addition to the cash bounty. The token rewards are awarded according to the following schedule:
| Severity | Bounty Range* | Example of vulnerability |
|---|---|---|
| Critical | $100,000 - $250,000 | Inflation bugs, spending unowned funds, Producing valid blocks without mining |
| High | $25,000 - $75,000 | Double spends, Severe DoS, Forcing hard forks, severe TariScript vulnerabilities, remote access of wallet keys |
| Medium | $5,000 - $15,000 | Other DoS, other TariScript vulnerabilities |
| Low | $500 - $5,000 |
*As the Minotari price is unknown prior to launch, values are quoted in USD-equivalent terms at time of delivery. The bounties will be paid out in Minotari. For example, if the trading price of Minotari was $0.04, a medium-severity award of $10,000 would be converted to 250,000 Minotari tokens.
Terms and conditions apply
Tokens will be distributed after launch
So, firstly, the token rewards can only be paid once Minotari actually exist. Obviously. But we’d love to have any bugs that warrant the highest payout to be found before launch. Obviously.
So we’re kicking off the bounty program now, and handing out IOUs for the tokens to be paid out a few months after launch. The delay is there to let the Minotari price stabilise for a period before issuing the awards.
The cash rewards are a little sweetener, in addition to the tokens, to compensate for the time delay between disclosure and token payout.
Cash rewards can only be claimed on HackerOne
We’re working with HackerOne to manage the bounty program. All the cash rewards will be paid out through that program, and you’ll need to register with HackerOne to claim them.
If you find a bug but don’t want to register with HackerOne, you can still claim the token reward but will forego the cash bounty.
Non-critical, non-HackerOne disclosures will likely take much longer to triage, since these disclosures must be processed by the core developers, and they’re rather busy prepping for mainnet launch.
Read the full disclosure policy
You can read all the fine print, along with instructions on how to join the HackerOne bounty program in the Tari Security Policy document. Thank you for helping us make Tari more secure!
