Aleo Community Call #59: Bug Bounty Program (May.

This was the 59th official community call for Aleo. Head of Growth of Aleo — Anthony DiPrinzio, discussed the bug bounty program, which focuses on bugs related to the core protocol, specifically the snarkOS and snarkVM GitHub repositories. In the second half of the call, he talked more about the Tooling & Infrastructure Grants Program.

Anthony: Thanks for having me. Really excited to be speaking on the community call. Maybe just before I start I’ll give a quick intro myself. My name’s Anthony. I help lead ecosystem growth here at Aleo. It’s a very cross-functional role: I work with product, marketing, business development, Viv and the community, and a lot of different folks here on the Aleo side. For those of you who have been in our community over the past two years maybe you remember me when I used to participate in these calls with our other colleague Sam. For all the OG’s I’m excited to be back here to speak with you all. Yeah, basically the reason I was invited today is to talk about Aleo’s Bug Bounty program. If you aren’t familiar, Aleo actually just yesterday officially announced our Bug Bounty program. If you want to find more details about that you can go to our blog at aleo.org/blog. It’s the most recent one. That’ll cover all the specific details.

Today what I wanted to do was give a high-level overview of the program, why we’re doing it, and how you can participate if it’s of interest. And then I’m also happy to answer any questions people have. So I guess just to get started maybe we can begin by talking about what is a bug bounty program. So a bug bounty program is essentially a way to incentivize white hat hackers, security engineers, and other developers to help find vulnerabilities and bugs within some project or open source architecture. So obviously in this case, since Aleo is launching this program we want all of you to help us find critical vulnerabilities on the Aleo network. More specifically, for this program in particular, we really want people to look for bugs in the Aleo core protocol and you might be wondering ‘Okay, why are we incentivizing people to find vulnerabilities in the network?’ — well, the main reason is that we’re in a test net, which all of you are currently aware of, and the purpose of a test net is to basically test the network and see where there might be some issues. So that when we get to the mainnet launch we can resolve those issues and problems that might arise that way they don’t occur when the network is actually live. And so the best way for us to find those issues is to have extra eyes that are outside of the core team, looking through our code base and finding some of these vulnerabilities. And so that’s the main reason that we’ve launched this program. We’re really looking towards our community and other skilled developers and individuals to identify some of those issues. I will preface this by saying maybe some of you saw and we also posted this in our Twitter announcement I know we put out a message on Discord, but there was a vulnerability that was found this past weekend. And as we’ve mentioned, obviously finding vulnerabilities can be kind of scary, but at the same time, it was actually really mind-opening for us and is helping us to secure Aleo before the mainnet launch. In a way, it was actually good that you know that the contributor found the bug before the mainnet launch. We are looking for folks to help us find some more of those issues perhaps they might not be as critical as that one but nonetheless, any issue to us is valuable to find.

If you’re interested in submitting a bug report you can actually do so right now via HackerOne. For those of you who aren’t familiar with HackerOne — they are a professional platform that actually hosts bug bounties for various different organizations across the board, not just crypto. In fact, they have companies ranging from traditional web2 companies to web3 companies such as us and everywhere in between. They have a really great reputation and using their platform actually helps us to facilitate this process in a more efficient way and ensure that we’re giving people the right platform and the right processes to properly submit a report. Because finding a bug is one thing but then being able to report it in the right manner and make sure it’s being assessed by a skilled team is just as important. And so that’s why we’re using this platform to actually manage the program.

If you read our blog post we’ll also be partnering with another bug bounty platform called Bugcrowd — that platform has not officially launched yet we’re just about there to get that up and running. There’s no real difference between the two. So the scope and the assets that were targeted for these programs are exactly 100% identical on both Bugcrowd and HackerOne. It’s basically up to you which platform you want to submit your report to. The other reason that we partnered with two platforms is that these organizations actually curate a lot of really high-quality security engineers from around the world. Again these are people not necessarily in web3 in particular, they’re just reputable white hat hackers from across the board and so it’s really great for us to source from their talent pools as well, so we can have more high-quality talent looking through our open source code and trying to find these vulnerabilities. So that’s the main reason we partnered with both organizations.

In terms of the monetary rewards, we are giving out bounties ranging from five hundred dollars for a really low vulnerability all the way up to twenty-five thousand dollars plus for a critical vulnerability. As of right now, we are running this initial program for a six-month period with the intention of extending it past the mainnet. But since this is the first time we’ve actually run a bug bounty program here at Aleo, we really want to use this as an opportunity to figure out what’s the right bounty structure to have, who the kinds of people that are submitting, are we getting value out of this? In overtime, we will actually involve the program once we have more of these findings. If you’re curious about the Bounty structure or anything like that, — again the reason we started with this initial set and this initial range is to test the waters and see how things go, I will make a note and this is written in the blog post, — no matter what severity level the bug is that you submit a report for, we can always give you a bonus payment. So if you find a medium-severity bug but it has a tremendous impact on the ecosystem, then we’ll definitely be incentivized to give you a bonus. The other thing I will say is if you find a really really critical bug that could have the potential to be super detrimental to the network, we can always award you over the twenty-five thousand dollar limit. So just to be aware there are possibilities to earn a nice sum of money, depending on what you submit. And one of the other questions I think a lot of people have is ‘Well, how are you guys determining severity?’ So the way we’re doing that is we’re actually using something called the common vulnerability scoring standard or CVSs for short. If you go to the HackerOne page, there’s a link in the scoping section of the program that explains how the severity breakdown works and this is a unified system that people across the board use for bug bounty programs globally to assess severity. When you submit you can tell us what severity you think it is, but ultimately we’re going to cross-check that with this scoring standard to see if you’re claiming a critical vulnerability, is it actually critical, or maybe is it something lower so that’s how we are assessing the Bounty severity.

Then one other thing is the people triaging these bug reports are a team from HackerOne and Bugcrowd respectively. We’re actually working with their team of security engineers to do an initial review of all reports and then internally at Aleo we have a subset of our engineering team that will also be doing a review of every single bug report. So regardless if your report is accepted or not it will be reviewed by a team and you will receive feedback via the platform. And when you sign up for these platforms you will have to create an account and abide by all of their rules and instructions. Again just like with anything else you will have to pass KYC to receive any rewards. This is done through both platforms, it’s handled entirely by them but just so you’re aware.

Maybe one of the last things I’ll say is because we’re in testnet, I kind of mentioned this at the beginning, we are really just focusing right now on the Aleo core protocol. So any bugs or bug reports you submit must involve the Aleo core protocol. If you want to break that down even further what constitutes the Aleo core protocol it’s two key GitHub repositories. So for all of our engineers in this call who have gone through our GitHub that would be one snarkOS, which is our operating system, and snarkVM which is our ZK Virtual Machine. So it’s basically any vulnerabilities that impact one or the other of those two GitHub repos that we’re accepting. So for example if you find a bug in a deployed program on top of the Aleo blockchain that somebody wrote — that, for example, would not count for this particular Bug Bounty program. Like I said at the beginning we do have plans to expand this program and in the future especially at mainnet launch when there are a bunch of programs deployed and there are more people building with Leo we most likely will have a program for people to find those types of vulnerabilities. But for this initial program, it is very much focused just on the Aleo core protocol.

If you read through the scope on the HackerOne platform or on our blog post — all of this is clearly laid out, but I just wanted to reiterate that for people and again the purpose for that is because the core protocol is going to be where the mission-critical bugs lie. And those are the ones that we really need to make sure that we address and we are aware of before mainnet launch. I’m not saying that other bugs in the ecosystem aren’t important. Every bug is important to identify. But in terms of strategic priorities we absolutely 110% need to make sure that our core is solid. Because if something’s wrong with the core protocol that’s going to impact everything else on the Aleo network.

We have a list of things that are out of scope. I will say this program is pretty broad as long as you’re looking at those two GitHub repos there’s not much that’s really out of scope. I will say something that could impact the likelihood of you receiving a reward for a bug report if you don’t follow our submission guidelines. And the reason for this is that we’re going to be looking through a lot of different submissions and so it’s really important that you follow our templates so that we can review them as efficiently as possible and make an accurate decision. And so when you submit the primary thing that you’ll need to do is provide a proof of concept demonstrating that this vulnerability actually exists and how it can be exploited. So really what you’ll need to do is provide a detailed overview of the vulnerability and then you’ll need to basically include any other documentation that you might have. You can also submit a video that’s something that’s available when you produce a report and any extra additional information that you would like to provide. The more you provide the better.

One other thing for people that submit the same vulnerability, which might happen, we are going to reward the person who submitted it first. And we will make sure that if you are somebody who did not submit it first , we can point you to the report or the individual that did submit it first. So that is something we’ll be looking at. So unfortunately if somebody finds the specific bug that you wanted to report already we can’t reward you for that. I think that those are the main things I wanted to discuss.

Viv: Great! Thank you, Anthony, this has been so incredibly helpful and insightful. Can you chat a little bit about kind of the overlap of the Grants program and Bounty program and maybe how a Bounty could lead to a Grant, a little more on that front?

Anthony: Yeah, for sure. So for those of you who aren’t aware we have a grants program. Right now we are assessing a number of applications for the grants program that are focused on tooling and infrastructure. Again, going with the theme of mainnet launch having really solid tooling and infra is super important, especially for early-stage developers that want to start creating the future, or sorry, next-generation applications on the Aleo network. Huge shout out to our community member Haruka, I’m sure a lot of you have used his explorer. That’s an example of a piece of infrastructure that a community member built and is actually really really good. We want more of that and so that’s what’s going on right now. I actually just had an interesting discussion with our CEO Alex Pruden, actually, Viv was involved in that conversation as well, and our other colleague Sam and one thing we want to do is start to open up the grants program to include generalized applications. So for people that saw our announcement on deploy incentives all those categories like ZKML, gaming, zero knowledge decentralized finance, — all these different categories we actually want to bring back into the grants program. So there will be more details on that to come and really what we’re looking for is small wins for the grants program. You don’t necessarily need to do something super overly complicated. We’d love to have that, but for us, because we’re such an early-stage project and we’re really gearing up for mainnet — the important thing is to have a solid foundation of base-level applications and primitives that other people can leverage to start building out their different ideas. And so that’s the grants program. We’ll continue to share that with all of you and hopefully get more people submitting, but how that ties into the Bug Bounty program — there’s not directly a one-to-one correlation. I will say that if you are somebody who finds a vulnerability on Aleo, I think that signals you as a person who has a lot of talent and is a high-quality contributor to the ecosystem and we definitely want to keep working with you. From my perspective, I think you could almost see that the Bug Bounty program is almost like a way for us to find some of those community members who may also want to build for the grants program. But just to be clear they are like two different things, right, Bug Bounty is more just ‘let’s find vulnerabilities’ in the protocol, and then the grants program is more ‘Hey I want to actually build some product on Aleo or some cool project’. I will say though that one area that does directly correlate to the grants program pretty well is our hackathons, capture the flag events, and other sorts of short-term initiatives where we want to bring people in quickly and have them hack on stuff. For the ZKML initiative, I’m sure a lot of you are familiar with, that which we just launched, and we got some great output from that. Those sorts of initiatives we want to use these as another way to identify high-quality contributors to the network so not only can you participate in those kinds of activities and win rewards from that even if you don’t but you build something cool — now we know who you are and we can identify you and we can give you other opportunities which could be through the grants program. Sort of giving you a more formalized pathway to start building on the Aleo network where potentially you could get some funding and even in the future right once Aleo’s really successful and we’ve launched mainnet, — even doing things like an accelerator program or investments in projects, a lot of other Layer1’s do this in the space. We’re a bit early for that, but this is kind of where you can see the pathway headed. And so the Bug Bounty program is kind of just one of those initial bedrock programs that are going to help us evolve into a really robust ecosystem.

So yeah hopefully that answered the question. Not directly correlated but for sure is a good way to identify some of the talent.

Viv: Totally, thank you so much, Anthony! That absolutely answered the question. Just to reiterate, what Anthony said, Aleo is in testnet. This is a test network, we are building this open source, which means that we are building it by the community for the community almost. And a huge part of that is: what is the community finding, what are the blind spots that certain people aren’t seeing? It takes a village and it takes a village to ship any sort of mainnet as you guys have seen. So that’s what we’re really like opening the gates for and pushing heavily. Is like ‘help us build this village’. And you guys are doing it. I mean we are so thankful to our community to our ambassadors. Cool! On that note, I think we’ll wrap up. This has been really a wonderful community talk. Anthony, thank you again so much for joining us. What a treat it was to have you back and everyone else thanks for queuing in. We will talk to you guys on Discord.

Link to Youtube