Bug Bounty Policy for the Hedera Network

Introduction

We welcome everyone to help find security vulnerabilities to keep the Hedera network safe for customers and users.

This Bug Bounty program is administered by Hashgraph Foundry Inc. ("Hashgraph," "we," "our") using the HackerOne platform. By participating, you agree to this Bug Bounty Policy as well as to comply with the HackerOne terms and policies that govern your use of their platform. (For your convenience, you can access HackerOne terms and policies via the following link and the further links provided there: https://www.hackerone.com/terms/finder)

Available Bounties

A valid submission is any in-scope report that clearly demonstrates a software vulnerability that could harm the Hedera network and/or its users. A report must be in scope and meet the rules of engagement in order to qualify for a bounty. A description of which issues are in scope, and which are clearly out of scope, can be found further below in this Policy. We will determine in our sole discretion whether a report is eligible for a reward under this Policy and the amount of the award.

The bounties or rewards listed under each tier are a maximum for each tier. Previous bounty amounts are not precedent for future bounty amounts. Vulnerabilities already known to Hedera or Hashgraph (whether resolved or not) are not eligible for bounty rewards. Bonuses separate from the bounties may be awarded under exceptional circumstances at Hashgraph's discretion.

Response Targets

Hashgraph will make a best effort to meet the following response targets for submitted reports:

We'll try to keep you informed about our progress throughout the process.

Report Checklist

• Reports for issues that are out of scope will not be considered. Please check before you submit
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
• Any reports for issues that are out of scope but that we deem valuable or business impactful to Hedera will be considered at our sole discretion

Eligibility & Program Rules

To be eligible to participate you must:

• Be at least 18 years of age to participate
• Agree and adhere to the Program Rules and legal terms as stated in this Policy
• Be available to supply additional information, as needed, to reproduce and triage the issue
• Not be a resident of, or make submissions from, a country against which the United States has issued export sanctions or other trade restrictions
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program
• Employees, contractors, or agents of Hashgraph or Hedera are not permitted to participate in the Bug Bounty Program

Program Rules:

• We only award the first report that was received (provided that it can be fully reproduced as described in the report)
• Don't attempt to access another user's account. You can do cross-account testing, but only use accounts that you own/control
• Do not use duplicate HackerOne accounts
• Use Hedera Local Nodes, Previewnet or Testnet for testing purposes. The Hedera Mainnet is for production use and should not be used for testing
• Only latest versions of libraries are in scope
• Do not impact other users with your testing. This includes ensuring that you do not test for vulnerabilities by impacting an account you do not own
• Never attempt non-technical attacks. Social engineering, phishing, or physical attacks against anyone, including but not limited to Hedera employees, contractors, node operators, developers, or users, or against the network infrastructure is not allowed
• Multiple vulnerabilities caused by an underlying issue: Only the highest impacting bounty will be rewarded
• Make a good faith effort to avoid privacy violations, destruction of data, and network interruption
• Comply with all of the HackerOne terms and policies that apply to your participation through their platform. If any terms in this Policy conflict with the HackerOne terms or policies, the terms of this Policy will control
• In order to receive a bounty payment, you may be required to submit to HackerOne's KYC / KYB process for compliance reasons. Bounty payments may only be processed for participants whose KYC / KYC documentation is complete and approved

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent.
• Follow HackerOne's disclosure guidelines.

In Scope Vulnerabilities

Example of valid issues to report on for this Bug Bounty Program on the Hedera network:

• Sensitive information leakage (e.g., private keys, wallets credentials etc). Public keys are excluded from this scope
• Transaction tampering (e.g., changing the recipient address or amount)
• Transaction replay (e.g., double-spend)
• Correct transaction fees not being applied
• Authorizing transactions without approval from the required signers/owners
• Preventing network from reaching consensus on transactions that are submitted
• Preventing gossip of a transaction or multiple transactions
• Bugs that cause the in-scope service to crash (e.g., Non-network-based DoS)
• Remote code execution vulnerabilities (proof of concept required)
• Attacks that cause a probabilistic consensus failure; or a deterministic consensus failure in reconnected nodes
• Effective non-network-bandwidth-flooding DDoS attacks (e.g., transaction hammering)
• Loss of funds by permanent freezing or direct theft
• Tamper/manipulate Hashgraph history to invalidate transactions
• Incorrect or missing records exported to mirror nodes
• Prevent node from accessing the network
• Bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes)
• Unauthorized Hedera Token Service (HTS) activity
• Overpayment or underpayment of staking rewards
• Theft of unpaid staking rewards
• Malicious capabilities of Hedera Token Service functions exposed via System contracts (e.g. transferring assets out of an account without permissions).
• Smart contract modifiers not respected (e.g. functions checking for address authorization being overridden and granted access when it shouldn’t)

Additional Program Policies, Terms, and Safe Harbor

We will not initiate legal action for security research conducted pursuant to all Bug Bounty Policy terms (including pursuant to all applicable HackerOne terms and policies), done in good faith. This includes occasional accidental violations. We consider these activities consistent with the policies to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c).

Any researcher who circumvents the technological measures used to protect any assets found within scope will not be pursued by us with a DMCA claim. If a third party initiates legal action against you, and you have abided by the Bug Bounty Program Policy, we’ll make it known that your actions were within compliance of this policy.

If your security research involves any network, system, information, application, product, or service of another party that is not Hedera, that party is not bound by our pledge and may determine to pursue legal action. Security research on third-party entities cannot be and is not authorized by us.

If your intended conduct is inconsistent with or unaddressed by this policy, please submit a HackerOne report before engaging in research activities. Please include a detailed description of your intended conduct. We will determine whether it is consistent with this Bug Bounty policy and, if appropriate, will update the Policy accordingly.

In order for security researchers to fully investigate potential security vulnerabilities, we believe it’s important to provide these assurances. It’s important to embrace the standardization of policy language that provides legal protection to security researchers.

We reserve the right to modify the Bug Bounty Program or Bug Bounty Policy or to cancel the Bug Bounty Program at any time. The current Bug Bounty Policy as described on this page is v2.0.

Participating in the Bug Bounty Program does not make you an employee, contractor, or agent of Hashgraph, you shall not be considered an employee of Hashgraph or have any rights as an employee; and nothing in this Policy is intended to make you and Hashgraph partners, joint venturers, or employer and employee. To the fullest extent permitted by law, in no event will our total liability to you under this Bug Bounty Program exceed the amount of the maximum bounty for the tier applicable to your submission.

Thank you for helping keep the Hedera Public Network and its users safe!