SubDAO has completed auditing through Slow Mist. To further test the security of our smart contracts and thereby detect possible vulnerabilities, we invite and challenge everyone to find attack vectors/security vulnerabilities in the SubDAO Network.SubDAO is officially launching our ongoing bug bounty program, which is now open for community participation.
From today, we will start offering rewards for bugs or security flaws identified on SubDAO.Network and report to us according to the guidelines below. Bug bounty tiers will be assessed and rated by our security team along the following scale.
Bounty will be rewarded based on the degree of severity of the vulnerability. Duplicate issues already made or filed by other persons cannot be rewarded again. Issues already made public by the team or a 3rd party cannot be rewarded. Once again, please perform your tests on SubDAO.network
- Epic: If a bug is considered to be valuable after evaluation by the development team, it will be classified as Epic and awarded. (Reward $500- $1,000)
- Crash: A bug that causes a breakdown of the SubDAO system and affects the use of the functionality. The development team evaluated the ability to reproduce a bug below the epic level, which was classified as crash level. ( Reward $250- $500)
- Critical: Affecting normal use, high-frequency operation, and high recurrence rate. After a comprehensive evaluation by the development team, it is classified as a serious bug. ( Reward $120- $250)
- General: Affecting normal use, medium frequency operation, and high recurrence rate. After a comprehensive evaluation by the development team, it is classified as a general bug.( Reward $50- $125)
- Minor: Low-frequency operations that did not affect the normal use of the SubDAO system, which can be repeated, were evaluated by the development team and identified as minor bugs. ( Reward Up to $50)
Areas of Interest
These are some of the bugs and vulnerabilities that we are especially interested in:
- Logic Errors
- Congestion and scalability
- Cryptography issues
- Missing access controls/unprotected or debugging interfaces
Out of Scope
- Attacks that the hunter has identified and exploited, leading to damages
- Attacks requiring access to leaked keys and credentials
- Best practices, opinions, and critiques
- Sybil attacks
- Phishing or social engineering attacks against the SubDAO users or team will be disqualified.
- Testing with malicious or third-party systems or websites such as browser extensions, advertising networks, or SSO providers will be disqualified.
- Denial of service attacks will be disqualified.
- Automated or bot testing that generates heavy traffic will be disqualified.
- Public disclosure of unamended or unpatched vulnerabilities will be disqualified.
- Only those vulnerabilities that are original should be awarded a bounty. In case of a duplicate report or two users reporting the same bug, the fastest user who submitted the report FIRST shall be awarded.
- Public disclosure of the vulnerability, before the SubDAO team resolves it without explicit consent from the team, will make the bounty hunter ineligible for further participation.
Publicly disclosing a vulnerability can put all SubDAO users at risk. If you have discovered a possible vulnerability, please email us at email@example.com.
We will work with you to assess and understand the scope of the issue and fully address any concerns. All security emails and vulnerability reports are immediately forwarded to our security engineering team to ensure that problems are addressed rapidly. Any security reports are treated with the highest priority as the safety and security of our service are our primary concerns.
SubDAO is a DAO infrastructure that helps manage digital assets through middleware, multi-sig, and other decentralized features. SubDAO has completed multi-million dollar financing from dozens of institutions, including Messari founder Ryan Selkis, Hypersphere Ventures, OKX Ventures, Huobi Ventures, CMS Holdings, Divergence Ventures, FBG, Signum Capital, NGC Ventures, Kenetic Capital, Gate.io Labs, etc.
Follow Twitter https://twitter.com/subdao_network