.png)
3 years ago
223 BOOK THIS SPACE FOR AD
ARTICLE AD
The Graph Foundation is offering a record-breaking $2.5 million bug bounty to incentivize developers and whitehat hackers to dig up critical vulnerabilities in their smart contracts.
TL;DR: are you here for the reward structure? Skip to just past the human-hunting mantis.
Before we delve into the details of the world’s largest bug bounty, let’s take a stroll through time, back to where it all began…
Do you know what the first bug bounty was?
The company, Hunter & Ready, is known to have initiated the first known bug bounty in 1983 for their Versatile Real-Time Executive operating system.
Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return.
A decade later, in 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape coined the phrase ‘Bug Bounty’.
Ridlinghafer discerned that Netscape had many evangelists, some of whom could even be considered fanatical about Netscape’s browsers. His investigation led him to discover that those evangelists were actually software engineers.
They were fixing the product’s bugs and publishing the fixes or workarounds on their own and publishing them either in online news forums that had been set up by Netscape’s technical support department or on the unofficial “Netscape U-FAQ” website, which listed all known bugs and features of the browser, as well as instructions regarding workarounds and fixes.
Ridlinghafer ideated the ‘Netscape Bugs Bounty Program’ to leverage the channeled enthusiasm of Netscape’s activist-evangelists. The idea was presented at an executive team meeting attended by the likes of Marc Andreessen, who embraced the idea and granted an initial $50k budget.
On October 10, 1995, Netscape launched the bug bounty for the Netscape Navigator 2.0 Beta browser.
Immunefi, founded in December 2020, is the premier bug bounty platform for smart contracts and DeFi projects. Security researchers can review code, disclose vulnerabilities, make crypto safer, and most importantly get paid. Immunefi has provided hackers a way to put their skills to legitimate use and has paid out more than $3 Million in bounties to date.
With over $1B in user funds prevented from being stolen or misused, Immunefi’s live roster of available bounties has grown to $31 Million (and counting) worth of bug bounties, waiting to be discovered & claimed.
The Graph Protocol has collaborated with Immunefi to launch the world’s largest bug bounty program in history.
Setting an example for the rest of the industry for what prioritizing security looks like.
The program went live on Aug 4, 2021, with a maximum reward of $2,500,000 to be paid in $GRT tokens. The primary agenda is to mitigate the risks of losing user funds, exposing private details, and Sybil attacks. It’s also directed towards preventing incorrect query results by Indexers due to Indexer software anomalies and other associated vulnerabilities.
The Bounty Program Rewards
Whitehat hackers get rewarded in accordance with the severity of the detected bug and the intensity of potential damage. This is based on a 5-stage scale outlined in the Immunefi Vulnerability Severity Classification System.
The following is the scale and the associated rewards:
Critical: Freeze contract holdings or empty funds like flash loan attacks, reentrancy (up to $2,500,000)High: Temporary suspension to transfer funds from token holders’ wallets ($200,000)Medium: Huge gas consumption and denial of service ($20,000)Low: Contract doesn’t return the promised returns ($5,000)The rewards for critical security breaches are capped at 10% of the total economic damages that may result from coding vulnerabilities.
How To Register?
The process for registration is straightforward. In order to be eligible for bounties, bug bounty hunters will first need to register through The Graph Foundation’s KYC platform.
Then, you can submit bug reports with the necessary logs and data to Immunefi to receive a reward. Submissions should include the documents and coding to reproduce the vulnerabilities, as well as pointers for fixing the bugs.
Which Scenarios are In-Scope Under the Bounty Program?
Loss of funds due to bugs in smart contracts, gateway, or Indexer softwareFaulty query fees and indexing rewards payoutsEconomic attack where all stakeholders lose fundsImpersonating network participants and consequent malicious activitiesStolen private data due to bugs in the smart contract, Indexer software, or remote code executionIneffective Indexer functionalityAbnormal network load without sufficient GRT feesInaccurate query dataGriefing attackSybil attacksNon-deterministic syncing of subgraph data (for graph-node only)Learn more about how to participate in the bug bounty at bugs.immunefi.com.
P.S. Want a little guidance on finding million dollar bugs? Check out this interview with legendary hacker Alexander Schlindwein.
Bengali (Bangladesh) · 
English (United States) ·