Bounty program

Security experts, software developers, and hackers who dedicate time and effort to improve the Rootstock blockchain
can be rewarded through the bounty program.

Rules and rewards

Submit a vulnerability to be eligible for rewards

  • The submitter must be the person who has discovered the vulnerability. Vulnerability submission cannot be delegated. We accept anonymous submissions, but in that case the bounty reward will be donated to charity.
  • IOVlabs may cite the submitter name and points earned in Rootstock blog posts and online bounty rankings.
  • If you prefer not to be identified in IOVlabs communications by your real name you must clarify this and provide a pseudonym in your submission.
  • Issues that have already been submitted by another submitter or are already known to the IOVlabs team are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) and then reports to IOVlabs with considerable delay, then IOVlabs may reduce or cancel the bounty.
  • You can start or fork a private chain for bug hunting. Please refrain from attacking the Rootstock mainchain and test networks. Also please refrain from attacking the ETH or ETC main-chains and test networks. An attack will make the vulnerability ineligible for a bounty.
  • IOVlabs development team, employees and all other people paid by IOVlabs, directly or indirectly, are not eligible for rewards.
  • A person who submitted a change in the Rootstock codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.
  • IOVlabs websites, infrastructure and assets are NOT part of the IOVlabs bounty program.

**Determinations of eligibility, score, and all terms related to an award are at the sole discretion of IOVlabs.**

Severity-based rewards system

  • The value of rewards paid out will vary depending on the severity of the vulnerability submitted. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood.
  • A bug triggered by a single low-cost transaction that forks the Rootstock blockchain into some nodes accepting a block containing the transaction and some nodes rejecting that block, will be generally considered High.
    This is because it is highly likely to be used for an attack but the impact is medium, because a double-spend attack must also be perpetrated to steal assets.
  • You can start or fork a private chain for bug hunting. Please refrain from attacking the Rootstock mainchain and test networks. Also please refrain from attacking the ETH or ETC main-chains and test networks. An attack will make the vulnerability ineligible for a bounty.
  • IOVlabs development team, employees and all other people paid by IOVlabs, directly or indirectly, are not eligible for rewards.
  • A person who submitted a change in the Rootstock codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.
  • IOVlabs websites, infrastructure and assets are NOT part of the IOVlabs bounty program.

The IOVlabs reward program considers a series of variables to determine the rewards

Eligibility determinations, scoring and all terms related to a prize are at the sole and absolute discretion of IOVlabs.