The Energy Web Bug Bounty Program exists to incentivize and reward members of the community who identify and help resolve security vulnerabilities in the EW Chain, Utility Layer, EW-DOS toolkits, and auxiliary EW-related tools and infrastructure.
The scope of the program includes issues that can result in the loss of functionality and/or data in all public EW GitHub repositories and hosted applications (Switchboard, EWC Bridge, Key Manager). The primary areas of interest are:
> Access/Identity vulnerabilities
> Logical Errors
> Exploitation - XSS, CSRF, SQL injection, SSL misconfigurations etc.
> Smart Contract Errors
> Cryptography Errors
The following are out of scope and excluded from the Bug Bounty program:
> DNS, configuration, and hosting of the
energyweb.org website
> Any known vulnerabilities reported on third-party sites (e.g., Hackerone)
> Any previously-reported vulnerabilities (those listed on
https://www.energyweb.org/technology/ew-dos/bug-bounty-program/)
> Any vulnerability found using common open-source scanner tools ( e.g.,
https://github.com/sullo/nikto or
https://github.com/maurosoria/dirsearch)
Bugs are categorized at the sole discretion of the Energy Web Technical Committee using a risk assessment matrix based on impact and likelihood. The reward for a given bug is proportional to its severity; rewards are also higher for reporting a bug along with a recommended resolution than for reporting a bug alone.
Severity categories are defined as follows:
> Low = vulnerabilities that may result in reduced functionality for certain users under specific conditions.
> Moderate = vulnerabilities that will result in reduced functionality for all users under existing conditions.
> High = vulnerabilities that may result in 1) loss or reduced access to EWT, private keys, or personally-identifiable information for some users under certain conditions, or 2) complete system failure for some users under certain conditions.
> Critical = vulnerabilities that will result in irrevocable loss of EWT, private keys, or personally-identifiable information and/or complete system failure for all users under existing conditions.
To be eligible for the reward, a reporter must meet ALL of the following criteria:
1. Complete the form below and provide a description of the reproducible bug, including a script and/or detailed step-by-step instructions on how to expose the vulnerability.
2. The reporter must include a high-level summary, detailed attack / failure scenario, proposed impact / likelihood. Reporters must show the impact of the vulnerability - in other words what harm potentially could they do with the retrieved information. Sometimes, vulnerabilities indeed seem critical but could not be exploited in a harmful way, (e.g. disclosed server root password seems critical however only if that server is accessible from the internet).If also providing a resolution, they must include an invitation to the relevant private GitHub repository and/or related documentation.
3. The reporter must also provide an address for the EWT bounty reward.
4. Be the first person to report the issue (see list of known issues below)
5. Not disclose any details of the bug / vulnerability publicly.
Not be a paid auditor or contractor of EWF.
6. To be eligible for an EWT and/or public recognition reward, the reporter must also provide their legal name; email address; nationality, and country of residency. Reporters may be asked to also provide a digital copy of a government-issued identification document and a photo of themselves holding their government-issued identification document along with a note depicting their legal name, the date of the report, and Energy Web Chain address. This information will be used exclusively to perform KYC/AML verification under the terms of Energy Web privacy policy:
https://www.energyweb.org/privacy-policy/Upon receipt of a vulnerability report, the EW team will review the details and respond directly if the vulnerability is deemed to be credible and eligible for the program under the terms above. Due to the volume of reports, not all reports will receive a direct response.