Bug Bounty Program

Program Overview

Bitfari is a new protocol for digital advertising and ambient social media that makes cities smarter.

For more information about Bitfari, please read the whitepaper here: https://bitfari.org/whitepaper/

This bug bounty program is focused on Bitfari’s smart contracts. The focus is preventing:

  • Loss of user funds
  • Loss of governance funds
  • Theft of unclaimed ad space
  • Freezing of unclaimed ad space
  • Temporary freezing of funds
  • Unable to access a smart contract

Rewards by Level

We measure thread-level using a simplified 5-level scale. Where threats in smart contracts come first, threats in websites/apps come second and the severity of an exploit is correlated with the entangled nature of the unit where it was found. A highly connected smart contract or module where a bug is found is according to our scale a bigger threat and we’ll pay accordingly for it to be found and fixed.

Smart Contracts and Blockchain

Critical 
40K Faris Approx
High 
20K Faris Approx
Medium 
6K Faris Approx
Low 
3K Faris Approx

Web and Apps

Critical
5K Faris Approx

* These payment figures are for mainnet. If a bug is found on testnet, we will paid half of the figures above.

Prioritized Vulnerabilities

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Smart Contracts and Blockchain

  • Logic errors
    • including user authentication errors
  • Trusting trust/dependency vulnerabilities
    • including composability vulnerabilities
  • Oracle failure/manipulation
  • Novel governance attacks
  • Economic/financial attacks
  • Congestion and scalability
    • including running out of gas
    • including block stuffing
    • including susceptibility to frontrunning
  • Consensus failures
  • Cryptography problems
    • Signature malleability
    • Susceptibility to replay attacks
    • Weak randomness
    • Weak encryption
  • Susceptibility to block timestamp manipulation
  • Missing access controls / unprotected internal or debugging interfaces

Websites and Apps

  • Remote Code Execution
  • Trusting trust/dependency vulnerabilities
  • Vertical Privilege Escalation
  • XML External Entities Injection
  • SQL Injection
  • LFI/RFI
  • Horizontal Privilege Escalation
  • Stored XSS
  • Reflective XSS with impact
  • CSRF with impact
  • Direct object reference
  • Internal SSRF
  • Session fixation
  • Insecure Deserialization
  • DOM XSS
  • SSL misconfigurations
  • SSL/TLS issues (weak crypto, improper setup)
  • URL redirect
  • Clickjacking
  • Misleading Unicode text
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Share via
Copy link
Powered by Social Snap