Aleo Bug Bounty Program: elevating network security and rewards
Welcome to the Aleo Bug Bounty Program, a cornerstone in reinforcing the security infrastructure of the Aleo network. Aleo is excited to engage with the global security community, and here’s an expanded overview.
Currently, bug reports can be submitted via our HackerOne page.
Rewards and funding:
- Initial rewards pool: the program boasts an initial rewards pool of $500,000 USD.
- Varied rewards: payouts per bug report vary based on the severity and impact of the identified vulnerability on the Aleo core protocol.
Eligibility criteria and payout structure:
- Sanctions compliance: participants must not reside in countries subject to any United States sanctions.
- Regulatory screening: KYC/AML & OFAC screening is mandatory for all researchers.
- Originality requirement: reports should present original findings, with credit assigned to the first valid submission.
Oct. 2023 Stat: Reports resolved: 7. Assets in scope: 2. Average bounty: $3k
Response time commitments. Aleo commits to swift responses, including:
- First response: within 1 day
- Time to triage: 7 days
- Time to bounty: 2 days
- Time to resolution: duration depends on the severity and complexity of the identified vulnerability.
Disclosure policy:
- Confidentiality assurance: researchers are prohibited from discussing vulnerabilities outside the program without express consent.
- Guideline adherence: researchers must adhere to HackerOne’s disclosure guidelines.
Program rules:
- Detailed reporting: submissions should include comprehensive reports with reproducible steps and a functional Proof of Concept (PoC).
- One vulnerability per report: unless vulnerabilities need chaining to demonstrate impact.
Bounty tiers:
1. Critical: $30k — $75k (3x higher)
- Total network shutdown
- Unintended permanent chain split requiring a hard fork
- Direct loss of funds
- Double spending
- Ability to steal/burn/freeze tokens
2. High: $10k — $20k (2x higher)
- Unintended chain split
- Temporary freezing of network transactions
- Causing issues with network processing nodes
3. Medium: $3k — $7.5k (1.5x higher)
- Increasing network processing node resource consumption
- Shutdown of network processing nodes without a network shutdown
4. Low: $625 — $2.5k (1.25x higher)
- Shutdown of network processing nodes without a network shutdown
- Modification of transaction fees
Upgraded rewards:
Out of scope:
- Anything unrelated to the Aleo core protocol (snarkOS and/or snarkVM).
- Issues related to decentralized applications (dApps) or software built on the Aleo blockchain.
- User interfaces, web/mobile applications, or client-side components.
- Theoretical vulnerabilities without accompanying Proof of Concept (PoC).
- Reports from automated tools or scans.
Contact information: For inquiries, please email security@aleo.org with “Bug Bounty Question” in the subject line.
Your contributions play a pivotal role in fortifying the security posture of Aleo.
In conclusion, the Aleo Bug Bounty Program stands as a testament to our unwavering commitment to security within the Aleo ecosystem. By partnering with leading platform like HackerOne, Aleo is fostering a collaborative and inclusive environment for security researchers and ethical hackers.
Prepared by Colliseum
