Announcement: Jackal Protocol Bug Bounty Program
The mission of the Jackal Protocol is to deliver the fundamental human rights of accessible data security and privacy to the Internet’s citizens without compromise. One of this mission’s core tenants is proactively identifying and resolving security vulnerabilities.
As the development pipeline for the Jackal Protocol is in perpetual motion, so should our security testing and bounty programs.
The Jackal Bug Bounty Program exists to reward hackers who discover bugs on the Jackal Protocol and products. To be eligible for a reward, hackers and security researchers must responsibly disclose them. Responsible disclosure includes adhering to strict confidentiality and not publishing sensitive information in public, on Github, or by any means that would compromise this program's operational security.
Compensation is rewarded in either JKL, USDC, or USDT cryptocurrencies.
The compensation plan for this bounty program is relative to impact, risk, the likelihood of the exploit, and report quality. To ensure standardization and fairness, compensation is based on the standardized CVSS framework to score reports. Scoring will be conducted by a representative from Jackal Labs, the Jackal Foundation, or an agreed-upon third party.
There is no maximum program reward. We have left the maximum program reward without a ceiling as we value the disclosure of severe bugs and the tireless work of hackers in an ever-changing digital landscape. At our discretion, we may reward creative low-tier bugs or high-quality reports at a higher tier than determined by the CVSS framework.
Teams can request the bounty to be split amongst multiple parties.
If a bug report for the same bug is submitted multiple times, the bug bounty will be rewarded to the party that submitted the first bug report in chronological order.
In Scope Source Code
Not in Scope
- Bugs from third-party tools we use, such as Discord, Telegram, WordPress, etc., should be reported to those services directly. Bugs from these third parties will not qualify for this program.
- The following domains are not in scope as they are managed by a third-party hosting service.
- “Advisory” or “Informational” reports that are scanner generated and do not include specific testing will not be eligible for rewards.
- In the interest of safety for our contributors, bugs found through physical testing or findings derived from social engineering will not be eligible for rewards.
- Vulnerabilities requiring MITM or physical access to a user’s device will not be eligible.
This program aims to encompass a full range of bugs that can demonstrate a security risk.
To qualify for a bounty, bugs must:
- Not have been publicly reported on social media.
- Not publicly reported on Github.
- If the vulnerability is a matter of halting the chain, the vulnerability must be verified on a private testnet and not on the public mainnet.
- Not accessible on the public internet, nor is it viewable through open-source intelligence techniques.
- The bug is valid on the corresponding repository's latest stable release branch/tag.
- The bug is valid for 64-bit machines with at least 2 GB of RAM.
- Valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.
- Where possible, please provide a reproducible example of how to trigger the unexpected behaviour to speed up the patching process.
Non-exhaustive examples of vulnerabilities that are of interest:
- Data leaks
- Authentication bypasses
- Jackal Proof of Persistence bypass
- Consensus breaking
- Chain halt conditions
- Memory allocation bugs
- Unauthorized modifications of chain code
- Amplification attack with malicious network traffic
- Altering data stored by Jackal Protocol users
- Manipulate blockchain history
- Race conditions
- Timing attacks
- Incorrect block validation
- Denial of service both on the application and protocol layer
- Unauthorized account or capability access
- Stolen tokens from nodes, relayers, or users
- Token inflation bugs
- Payloads/transactions that cause panic
A team member will provide a first response within 48 hours of submitting the bug report and keep the reporter updated throughout the patch and reward process.
If you have found a bug, please disclose a bug report by emailing it to security[at]jackallabs.io. Responsible disclosure of a bug includes adhering to strict confidentiality and not publishing sensitive information publicly, on Github, or by any means that would compromise this program's operational security.
Jackal Protocol has the following disclosure policy.
- Upon receipt, the Jackal Team will verify the issue and determine the severity level.
- If the bug affects Tendermint or the Cosmos SDK, the Jackal Contributors will attempt to contact the Tendermint Core team and other stakeholders of the Cosmos Hub.
- In private repositories, patches will be prepared for release.
- If it is determined that a CVE-ID is required, we request a CVE through a CVE Numbering Authority.
- Notify the community that a security release is pending to give users time to prepare for an upgrade.
- The team will aim to have a patch applied and a new release issued 24 hours after notification.
- Once the new release is available, the Jackal team will again notify community members.
- Once the community is notified for the second time, the bounty will be rewarded to the party or parties that submitted the bug report.
- The team will have seven days after the fix is implemented to release a full report on the vulnerability and subsequent response and patch.
Any activities conducted in a manner consistent with the policies outlined by this bug bounty program will be considered authorized conduct. Jackal Labs and the Jackal Foundation will NOT initiate legal action against hackers or security researchers that abide by the policies of this program. If a third party initiates legal action against you concerning activities protected by this policy, Jackal Labs and the Jackal Foundation will issue a public statement that your actions were in compliance with this policy.
Jackal Labs and the Jackal Foundation reserve the right to modify or cancel the Jackal Bug Bounty Program at anytime. Hackers and security researchers that have bug reports submitted before changes are made to this program and were not rewarded until after changes occur will have their bounty rewarded relative to the version of the program published at the time of bug report submission.
Thank you for helping keep the Jackal Protocol secure and safe in perpetuity. Your only crime is that of curiosity, and you shall be rewarded within the program outlined here.
"You may stop an individual, but you can't stop us all... after all, we're all alike" The Mentor
January 8, 1986