Skip to main content

About

Who Can run a Bug Bounty Contest?

Literally anyone. It is open to any team who would like to have their code reviewed. Teams can determine the amount of bounty reward they would like to provide. There is no charge to use the platform, however they will need to provide 5% of the total bounty reward to the Evaluator for the service they provide.

Who Can be a Bug Exterminator?

Anyone can be a Bug Exterminator. There are no selection criteria, it is open to anyone who wants to spend time reviewing the code and receive payment for their findings. You simply need to fill out a registration form on our website that will create a username for yourself and an avatar or photo of yourself. You can remain anonymous for this role, we only need a username which you will utilize when submitting your bug reports for anything you find. Teams are welcome, simply fill out the form and create a username for your team.

How Does the Bug Review Process Work?

  • Bug Exterminators will have a window to review the code and submit a report for anything that they find.
  • The window for each bug bounty contest is given on the website.
  • They are required to submit 1 report per bug (cannot include multiple bugs in the same report). Users must use the report template found on the website.
  • Payouts will be on a first come first serve basis. So if the same bug is submitted by multiple people, whoever submitted first will receive the payment.
  • Bug Exterminators are allowed and encouraged to work as a team. They would simply register the team during the registration process same as they would an individual.
  • Bug Exterminators must include clear instructions so that a reviewer can easily understand and replicate the issue that was found. Along with the exact location of the code where the issue was identified.
  • Bug Exterminators will be required to self-designate the risk rating when submitting the form.
  • Payment amounts are already be pre-determined for each risk rating and they will receive a payment in ADA.

Risk Rating

We will be using the OWASP risk rating criteria and an excel sheet will be provided as part of the template which utilizes simple drop downs to determine the risk rating. They will be required to justify each selection choice they made in determining the risk rating (examples will be provided in the template). The risk ratings that the exterminator will be able to choose from are High, Medium. Low, and Non-Critical. Any submission that does not apply to the smart contract itself will be designated as non-critical. An example of the OWASP risk rating criteria is shown below.

Bug Evaluation

Bug Evaluators are members of the Cardano community who have the skill and knowledge to properly assess the bug reports. If you would like to become a Bug Evaluator please contact us. The evaluator will be responsible for going through all bug reports submitted by Exterminators and assessing them. They will be required to review the bug or vulnerability that was found and certify that it is a valid bug/vulnerability. They will also be required to review the risk assessment rating that the Exterminator provided and determine if it is correct or not. The evaluator will be required to write a commentary on why they agree with the assessment that the exterminator gave or justify why they believe it should be different and indicate the rating that it has been given.

The Evaluator will do this for all reports that were submitted and when they are done, they will be required to compile a summary report that shows all bug reports submitted (both valid and invalid) along with their justification for why it is valid or invalid and why it gets the risk rating they gave it.

Summary Report

The evaluator will compile a final report that only contains the valid bugs certified (descriptions, risk ratings, payouts, Exterminator who found them. This report is first shared with the team who is running the contest for their review. It is then published on the website for all to see. After it is published, payments are sent to everyone who found qualifying bugs. The payouts for  low, medium, and high are already pre-determined.