Bholdus recognizes the importance of security researchers in keeping our community safe. We encourage responsible disclosure of security vulnerabilities via our Bug Bounty Contest described on this page.
Bholdus is serious about security and we do our own internal scanning and testing through a QA process. We are aware that every mistakes can’t be caught by our team alone, which is why we rely on the safety net of the community to bolster our processes. We value the participation of every participants and will be as transparent with our known issues as possible.
This event is ONLY for disclosing software security vulnerabilities.
PRIZE ALLOCATION (Up to $10,000!)
Severity shown in the structured scopes (find below) indicates the maximum severity possible for reports submitted to the asset. Once the report has been triaged as valid, it’s considered for the Bug Bounty.
The amount rewarded will be decided according to/based on the severity of the reported bug:
If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.
We have not set a maximum reward for the reporting of security vulnerabilities and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:
- The effect of the bug.
- The cause of the bug.
- Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.
- The process through which the bug was discovered. Besides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward.
- Avoid any privacy violations, destruction of data, interruption or degradation of Bholdus businesses, including Denial of Services attacks.
- Any kinds of vulnerability exploitation is NOT allowed, including through making it public or by obtaining a profit (other than a reward under this Contest).
- Do NOT publicly disclose any vulnerabilities without an official consent from Bholdus. Bholdus will NOT approve Public Disclosure requests until the vulnerability has been resolved.
- Do NOT attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- Submit only 01 vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
- If Bholdus receive duplicate reports of a specific vulnerability, only the 1st report is eligible for a reward.
- Bholdus reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.
- By submitting a bug, participants agree to be bound by the rules stated above.
QUALIFYING VULNERABILITIES WE PRIORITIZE:
- Bugs in our implementation of the cryptographic primitives.
- Remote Code Execution on any Bholdus node and the reference wallet implementation.
- Vulnerabilities that disrupt the consensus result and performance.
- Unauthorized movement of funds, access to private keys.
- Vulnerabilities that affect the stability, connectivity, or availability of the whole network.
- Individual node, or the reference wallet implementation.
- Transaction origin spoofing.
- Vulnerabilities that affect the stability or availability of Bholdus Chain (BHC20).
- Significant manipulation of the account balance.
- Data leakage.
- XSS/CSRF/Clickjacking affecting sensitive actions.
- Theft of privileged information.
- Partial authentication bypass.
- Other vulnerability with clear potential for financial or data loss.
- Bugs in any third party contract or platform that interacts with Bholdus Chain.
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
- Reports based on information taken or obtained through illegal access of Bholdus Confidential information.