Centrality Bug Bounty Program
We strive to ensure our software is without bugs, yet recognize that we probably won’t get them all. We approach our community and all bug hunters to help recognize bugs in our product. In the event that you find a bug, we value your collaboration in dependably researching and reporting it to us with the goal that we can address it at the earliest opportunity.
Our Centrality Bug Bounty Program enables us to perceive and compensate individuals from the Centrality people group for helping us find and address critical bugs, as per the details of the Centrality Bug Bounty Program set out below.
We want to remind all Hunters that Centrality’s main products are open source code and associated released binaries (hosted in our Github repositories), and proprietary services and software. Our Bug Bounty Program try to cover both.
Responsible investigation and reporting
Responsible investigation and reporting includes, but isn’t limited to, the following:
- Don’t violate the privacy of other users, destroy data, etc.
- Don’t defraud or harm Centrality Ltd or its users during your research; you should make a good faith effort to not interrupt or degrade our services.
- Don’t target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- Initially report the bug only to us and not to anyone else.
- Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
- In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise your actions might be interpreted as an attack rather than an effort to be helpful.
Any bug that poses a significant vulnerability, either to network security as well as to classical client security, could be eligible for reward. Please note that it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.
The Centrality Bug Bounty Program covers security issues identified in the following sets of protocols, code bases and services:
- Cryptography code: any bugs relating to cryptography, encryption, decryption, and signing of messages (this includes account creation and recovery).
- Client Code: any bugs which can be used to bring down or take control of Centrality clients without direct access to the machine
- Smart contracts: any bugs which compromise the intended behavior of a smart contract in the Centrality suite, particularly bugs which can lead to Ether or ERC20 tokens being transferred.
- Client Application Security:
- bugs which can allow DApps running in the Parity browser to obtain privileges not intended for them.
- DApps should not be able to escape the “sandbox” they run in.
- Whisper code: any errors in the implementation of encryption
- Any bugs in the Token Generator application
- The Centrality websites https://centrality.ai/ along with https://poweredbyplug.com/ and all the third-level websites on those domains
- Bugs which have already been submitted by another user or are already known to the Centrality team or have already been publicly disclosed
- Centrality’s development team, Centrality’s employees and any other person employed in any way by the company, directly or indirectly, are not eligible for rewards.
- Anyone engaged to review or audit Centrality code in exchange for remuneration will not be eligible for rewards.
Bug Bounty Hunter program rewards are at the sole discretion of Centrality.
- The minimum reward for eligible bugs is the equivalent of 100 USD in CENNZ/ETH/BTC.
- Rewards over the minimum are at our discretion, but we will pay significantly more for particularly serious issues, i.e. that the identified issue could put a significant number of users at risk of severe damage, monetary or otherwise.
- Each bug will only be considered for a reward once.
How to report a bug
- Send your bug report to email@example.com, including the information below:
- your name
- description of the bug
- Attack scenario (if any)
- other details
- Try to include as much information in your report as you can, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept
- On the email subject, please use the following format: [SEVERITY LEVEL] Centrality BUGBOUNTY (the severity level of the issue is discretional to your understanding of the submission)
- Please allow 2 business days for us to respond before taking any further action
Once the issue has been submitted, our team will review the information, assign a severity level (that may or may not be similar to your choice) and redirect this to one member of the Bug Bounty Program team, who will contact you with more details on the next steps. You will be asked to send proof of identity and an ETH/BTC address to be rewarded.
Important legal information
The Centrality Bug Bounty Program is a discretionary rewards program for our active community to encourage and reward those who are helping to improve Centrality’s software. It is not a competition. We can cancel the program at any time and awards are at the sole discretion of Centrality development team. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists. You are responsible for all taxes payable in connection with the receipt of any rewards. All rewards are subject to the laws of New Zealand. Finally, your testing must not violate any law or compromise any data that is not yours.
We will do our best to react to your submission as fast as could be expected under the circumstances, keep you updated on the fix, and grant a reward where suitable. If you do your best to pursue these rules in finding and unveiling a vulnerability, we won’t think about your actions as an attack and won’t make any lawful move against you.
Governing law and jurisdiction
Any commitments emerging out of or regarding the Centrality Bug Bounty Program or its topic will be governed by and construed as per the law of New Zealand, and the courts of New Zealand will have select ward to settle any question or case (including non-contractual disputes or claims) emerging out of or regarding the Centrality Bug Bounty Program.
If you have a query or complaint about the Centrality Bug Bounty Hunter Program, please contact us at firstname.lastname@example.org