We call on our community and all bug bounty hunters to help identify bugs in Kusama.
If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it as per instructions on the Web3 Foundation website. Disclosure to any third parties disqualifies bug bounty eligibility.
Generally speaking, any bug that poses a significant vulnerability, either to the soundness of protocols and protocol/implementation compliance to network security, to classical client security as well as security of cryptographic primitives, could be eligible for reward. Please note that it's entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.
Examples include: An attack that could disrupt the entire network and harm the validity to the network would be considered a critical threat. An attack that would disrupt in service to others would be considered a high threat.
Please note: The submission quality will be a large factor in the level of considered compensation. A high-quality submission includes an explanation of how the bug can be reproduced, how it was discovered, and elsewise critical details. Please disclose responsibly; disclosure to any third parties disqualifies bug bounty eligibility.
Responsible investigation and reporting Responsible investigation and reporting include, but isn't limited to, the following:
- Don't violate the privacy of other users, destroy data, etc.
- Don't defraud or harm Kusama network or its users during your research; you should make a good faith effort to not interrupt or degrade our services.
- Don't target the validators' physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
- Initially report the bug only to us and not to anyone else.
- Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
- In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to us or our users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
Please follow the instructions at web3.foundation/security-report/.