January 10, 2024

By CjS77

A new bug bounty program!

When we updated our Responsible Disclosure policy last year, we did so with a very limited budget.

Members of the community were very quick to point out that the size of the rewards were not commensurate with the scale of the issues we were asking the community to help us find.

Now that 2024 has rolled in, and we’re in touching distance of the Minotari mainnet launch, we’re able to substantially increase the value of the rewards we’re offering; primarily in the form of Tari tokens.

Yes, for all intents and purposes, we’ll pay you a quarter bar in Minotari tokens for consensus-breaking bugs.

There are some Ts & Cs. I’ve highlighted the major ones below, but you can skip all of this and go and read the full, updated Tari Security Policy right away.

We are still offering cash rewards, but the lion’s share of the reward value will be coming from the token bounty allocation.

Get cracking!

Hacker

Cash bounties

The payouts for cash bounties have actually gotten a slight boost. We have partnered with HackerOne for our new bounty programme, and the payouts are as follows:

Severity Maximum bounty Example of vulnerability
Critical $5,000 Inflation bugs, spending unowned funds, Producing valid blocks without mining
High $2,000 Double spends, Severe DoS, Forcing hard forks, severe TariScript vulnerabilities, remote access of wallet keys
Medium $750 Other DoS, other TariScript vulnerabilities
Low $100 Minor bugs or non-blockchain issues (e.g. on tari.com, explore.tari.com etc.)

Token-based bounties

If you make use of the HackerOne programme, we may issue a token reward in addition to the cash bounty. The token rewards are awarded according to the following schedule:

Severity Bounty Range* Example of vulnerability
Critical $100,000 - $250,000 Inflation bugs, spending unowned funds, Producing valid blocks without mining
High $25,000 - $75,000 Double spends, Severe DoS, Forcing hard forks, severe TariScript vulnerabilities, remote access of wallet keys
Medium $5,000 - $15,000 Other DoS, other TariScript vulnerabilities
Low $500 - $5,000  

*As the Minotari price is unknown prior to launch, values are quoted in USD-equivalent terms at time of delivery. The bounties will be paid out in Minotari. For example, if the trading price of Minotari was $0.04, a medium-severity award of $10,000 would be converted to 250,000 Minotari tokens.

Terms and conditions apply

Tokens will be distributed after launch

So, firstly, the token rewards can only be paid once Minotari actually exist. Obviously. But we’d love to have any bugs that warrant the highest payout to be found before launch. Obviously.

So we’re kicking off the bounty program now, and handing out IOUs for the tokens to be paid out a few months after launch. The delay is there to let the Minotari price stabilise for a period before issuing the awards.

The cash rewards are a little sweetener, in addition to the tokens, to compensate for the time delay between disclosure and token payout.

Cash rewards can only be claimed on HackerOne

We’re working with HackerOne to manage the bounty program. All the cash rewards will be paid out through that program, and you’ll need to register with HackerOne to claim them.

If you find a bug but don’t want to register with HackerOne, you can still claim the token reward but will forego the cash bounty.

Non-critical, non-HackerOne disclosures will likely take much longer to triage, since these disclosures must be processed by the core developers, and they’re rather busy prepping for mainnet launch.

Read the full disclosure policy

You can read all the fine print, along with instructions on how to join the HackerOne bounty program in the Tari Security Policy document. Thank you for helping us make Tari more secure!

Hacker