Details

RootstockLabs, previously IOVLabs

RootstockLabs is on a mission to provide the next generation of fintech innovators with the decentralized tools and technology to build a new global economy. The organisation has helped launch the Rootstock blockchain in 2017 which builds on Bitcoin's unparalleled hashing power, security and decentralization by adding smart contract capabilities, nearly instant payments and higher scalability. Rootstock now hosts hundreds of DeFi protocols and products built by developers around the world. In 2018, RootstockLabs launched the Rootstock Infrastructure Framework (RIF). Built on Rootstock, RIF reduces time to market for business and developers building cutting edge solutions using blockchain technology secured by Bitcoin.

RootstockLabs rewards researchers that submit valid vulnerabilities to improve the RootstockLabs platforms security.

SLA

RootstockLabs will make a best effort to meet the following SLAs for hackers participating in our program:

Time to first response (from report submit) - 5 business days
Time to triage (from report submit) - 7 business days
Time to bounty (from triage) - 15 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Follow HackerOne's disclosure guidelines.
Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) but reports to RootstockLabs with considerable delay, then RootstockLabs may reduce or cancel the bounty.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Do not violate any privacy policy, destroy any data, or interrupt or degrade our service. Only interact with accounts you own or with explicit permission of the account holder.
The submitter must be the person who has discovered the vulnerability. Vulnerability submission cannot be delegated.
The submitter grants RootstockLabs the right to use parts or all the submitted report for communicating the vulnerability to the public.
Only test on nodes that you own. Avoid testing that could be damaging to RootstockLabs infrastructure or other users.
RootstockLabs development team, employees and all other people paid by RootstockLabs, directly or indirectly, are not eligible for rewards.
A person who submitted a change in the RootstockLabs codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.
Reports must include a working Proof of Concept (PoC) that demonstrates the vulnerability under realistic, production-like conditions. PoCs that rely on mocked assumptions or simulated components not present in the actual environment might be rejected.

Scope

Our bug bounty program spans end-to-end: from soundness of protocols (such as the blockchain consensus model, the wire and p2p protocols, proof of work, etc.) and protocol implementation. Classical client security as well as security of cryptographic primitives are also part of the program. Most JSON RPC methods and CSRF attacks against them are in scope.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

DoS attacks that require sending multiple network packets at any layer. We’re interested in DoS that depends on the data and can't be stopped at the network level.
Findings related to the encryption or access control of the integrated wallet.
Attacks requirng physical access or local user level access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Denial of our service (DoS) not directly related to a flaw in the RootstockLabs code or environment.
JSON RPC personal module and the filter API including eth_newFilter, eth_blockFilter, eth_getLogs
For TokenBridge project:
- The private key handling and storage is out of scope.
- Malicious ERC20 tokens are out of scope because there is a whitelisting process in place.

Thank you for helping keep RootstockLabs and users safe!

SLA

RootstockLabs will make a best effort to meet the following SLAs for hackers participating in our program:

Time to first response (from report submit) - 5 business days

Time to triage (from report submit) - 7 business days

Time to bounty (from triage) - 15 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Follow HackerOne's disclosure guidelines.

Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) but reports to RootstockLabs with considerable delay, then RootstockLabs may reduce or cancel the bounty.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Do not violate any privacy policy, destroy any data, or interrupt or degrade our service. Only interact with accounts you own or with explicit permission of the account holder.

The submitter must be the person who has discovered the vulnerability. Vulnerability submission cannot be delegated.

The submitter grants RootstockLabs the right to use parts or all the submitted report for communicating the vulnerability to the public.

Only test on nodes that you own. Avoid testing that could be damaging to RootstockLabs infrastructure or other users.

RootstockLabs development team, employees and all other people paid by RootstockLabs, directly or indirectly, are not eligible for rewards.

A person who submitted a change in the RootstockLabs codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.

Reports must include a working Proof of Concept (PoC) that demonstrates the vulnerability under realistic, production-like conditions. PoCs that rely on mocked assumptions or simulated components not present in the actual environment might be rejected.

Scope

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

DoS attacks that require sending multiple network packets at any layer. We’re interested in DoS that depends on the data and can't be stopped at the network level.

Findings related to the encryption or access control of the integrated wallet.

Attacks requirng physical access or local user level access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Denial of our service (DoS) not directly related to a flaw in the RootstockLabs code or environment.

JSON RPC personal module and the filter API including eth_newFilter, eth_blockFilter, eth_getLogs

For TokenBridge project:

The private key handling and storage is out of scope.
Malicious ERC20 tokens are out of scope because there is a whitelisting process in place.

Thank you for helping keep RootstockLabs and users safe!

Rootstock Labs

Rootstock Labs

Details

SLA

Disclosure Policy

Program Rules

Scope

Out of scope vulnerabilities

SLA

Disclosure Policy

Program Rules

Scope

Out of scope vulnerabilities