Fireblocks MPC
External Program
Submit bugs directly to this organization
Fireblocks MPC
External Program
Submit bugs directly to this organization
This program is for the disclosure of software security vulnerabilities only. The program only covers code found in the mpc-lib repository (https://github.com/fireblocks/mpc-lib).
This policy governs the MPC Bug Bounty Program (the “Program”) Note: Fireblocks have additional bug bounty programs, such as the Fireblocks Bug Bounty Program, which shall be governed by their own separate policies.
Security researchers play a crucial role in ensuring the safety of the blockchain industry as we build toward a common goal. Fireblocks actively encourages the responsible disclosure of security vulnerabilities through our Bug Bounty Program so that we may enable every business to manage their digital asset operations and build innovative businesses on the blockchain.
With the objective of securing the most widely used protocols and signature schemes, this Program focuses on the highest priority signature scheme, the MPC protocol for ECDSA signatures used in Bitcoin, Ethereum, and additional blockchains, in addition, the protocol for EdDSA.
To qualify for a reward, a report must clearly demonstrate a software vulnerability that harms Fireblocks and its customers. Such a report is considered a valid, in-scope report. Fireblocks will determine, at its sole discretion, whether a report meets the eligibility criteria for a bounty and the amount of the reward.
In order for a report to be deemed valid, a report must demonstrate a vulnerability within the scope. A report must be a valid, in scope report in order to qualify for a bounty.
If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to the reproducibility and severity of the vulnerability, and the amount of the reward may be reduced.
Awards bounties are based on severity of the vulnerability.
For your reported vulnerability to be eligible, you must:
| Vulnerability Tier | Example Vulnerability |
|---|---|
| Critical | Retrieving the key or rogue signature without triggering any failures or aborts, regardless of the number of transactions involved. Obtaining the key/rogue signature by causing fewer than 1000 failures/aborts. |
| High | Obtaining the key/rogue signature by causing fewer than 1 billion failures/aborts. |
| Medium | Leaking bits of the private key or causing memory corruption. |
| Low | Exploit exposure to a smaller subset of non-critical systems and/or data |
| Vulnerability Tier | Reward |
|---|---|
| Critical | Up to 250000$ |
| High | Up to 100000$ |
| Medium | Up to 40000$ |
| Low | Up to 5,000$ |
The rewards listed next to each tier are maximum bounties for each tier. The specific amount of the bug will vary according to:
Fireblocks reviews all findings that are reported via this Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Fireblocks may request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.
PLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure. Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited.
We are looking to find security issues affecting our blockchain protocol such as:
Please review the following participation eligibility criteria before participating in the Program:
**We reserve the right to modify the Program or cancel it at any time. **
Fireblocks reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.