misaradmin/synor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
synor/docs/BUG_BOUNTY.md
Gulshan Yadav 1606776394 feat: Phase 7 critical tasks - security, formal verification, WASM crypto 
## Formal Verification
- Add TLA+ specs for UTXO conservation (formal/tla/UTXOConservation.tla)
- Add TLA+ specs for GHOSTDAG ordering (formal/tla/GHOSTDAGOrdering.tla)
- Add mathematical proof of DAA convergence (formal/proofs/)
- Document Kani verification approach (formal/kani/)

## Bug Bounty Program
- Add SECURITY.md with vulnerability disclosure process
- Add docs/BUG_BOUNTY.md with $500-$100,000 reward tiers
- Define scope, rules, and response SLA

## Web Wallet Dilithium3 WASM Integration
- Build WASM module via Docker (498KB optimized)
- Add wasm-crypto.ts lazy loader for Dilithium3
- Add createHybridSignatureLocal() for full client-side signing
- Add createHybridSignatureSmart() for auto-mode selection
- Add Dockerfile.wasm and build scripts

## Security Review ($0 Approach)
- Add .github/workflows/security.yml CI workflow
- Add deny.toml for cargo-deny license/security checks
- Add Dockerfile.security for audit container
- Add scripts/security-audit.sh for local audits
- Configure cargo-audit, cargo-deny, cargo-geiger, gitleaks
2026-01-10 01:40:03 +05:30

242 lines
5.7 KiB
Markdown
Raw Blame History

# Synor Bug Bounty Program
## Overview
The Synor Bug Bounty Program rewards security researchers who discover and responsibly disclose vulnerabilities in the Synor blockchain protocol and its implementations.
**Program Status:** Active
**Platform:** [Immunefi](https://immunefi.com/bounty/synor)
---
## Scope
### In-Scope Assets
| Asset | Type | Severity |
|-------|------|----------|
| `synor-consensus` | Smart Contract/Protocol | Critical |
| `synor-crypto` | Cryptography | Critical |
| `synor-vm` | Smart Contract VM | Critical |
| `synor-network` | Protocol/Network | High |
| `synor-dag` | Protocol Logic | High |
| `synor-rpc` | API/Web | Medium |
| `synord` (node) | Infrastructure | Medium |
| Web Wallet | Web/App | Medium |
| Explorer | Web/App | Low |
### In-Scope Vulnerabilities
**Critical (Blockchain/DeFi)**
- Double-spending attacks
- Consensus manipulation
- Unauthorized minting/burning
- Private key extraction
- Signature forgery
- Eclipse attacks
- 51% attack vectors
**High**
- Denial of service (network-level)
- Memory corruption
- Integer overflows affecting security
- Cryptographic weaknesses
- Smart contract reentrancy
- Cross-contract vulnerabilities
**Medium**
- RPC authentication bypass
- Information disclosure
- Transaction malleability (non-security)
- Rate limiting bypass
**Low**
- UI/UX vulnerabilities
- Information leakage (non-sensitive)
- Best practice violations
### Out of Scope
- Attacks requiring physical access
- Social engineering (phishing, etc.)
- Denial of service via resource exhaustion (without amplification)
- Third-party dependencies (report to upstream)
- Issues in test networks (unless exploitable on mainnet)
- Known issues listed in GitHub Issues
- Theoretical attacks without PoC
---
## Rewards
| Severity | Reward (USD) | Examples |
|----------|--------------|----------|
| **Critical** | $50,000 - $100,000 | Double-spend, key extraction, consensus break |
| **High** | $10,000 - $50,000 | DoS, memory safety, crypto weakness |
| **Medium** | $2,500 - $10,000 | Auth bypass, info disclosure |
| **Low** | $500 - $2,500 | Minor issues, best practices |
### Reward Factors
Rewards are determined by:
1. **Impact** - What can an attacker achieve?
2. **Likelihood** - How easy is exploitation?
3. **Quality** - Report clarity and PoC quality
4. **Originality** - First reporter, novel technique
### Bonus Multipliers
| Factor | Multiplier |
|--------|------------|
| Working PoC | +25% |
| Suggested fix | +10% |
| Mainnet-ready exploit | +50% |
| Novel attack vector | +25% |
---
## Rules
### Eligibility
- You must be the first to report the vulnerability
- You must not have exploited the vulnerability
- You must not disclose publicly before fix is deployed
- You must comply with all applicable laws
- Synor team members are not eligible
### Responsible Disclosure
1. **Report** - Submit via Immunefi platform
2. **Confirm** - We acknowledge within 24 hours
3. **Triage** - We assess severity within 72 hours
4. **Fix** - We develop and test a fix
5. **Deploy** - Fix is deployed to production
6. **Disclose** - Public disclosure after 30 days (or sooner if agreed)
7. **Reward** - Payment processed within 14 days of fix deployment
### Good Faith
We will not pursue legal action against researchers who:
- Act in good faith
- Do not access user data
- Do not disrupt services
- Report promptly
- Do not demand payment beyond program terms
---
## How to Report
### Via Immunefi (Preferred)
1. Go to [immunefi.com/bounty/synor](https://immunefi.com/bounty/synor)
2. Click "Submit Report"
3. Fill out the vulnerability details
4. Include PoC if possible
5. Submit and wait for acknowledgment
### Via Email (Alternative)
If Immunefi is unavailable:
**Email:** security@synor.cc
**PGP Key:** [link to key]
Include:
- Vulnerability description
- Steps to reproduce
- Impact assessment
- Your wallet address (for payment)
### Report Quality
A good report includes:
```markdown
## Summary
Brief description of the vulnerability
## Severity
Your assessment (Critical/High/Medium/Low)
## Affected Component
Which crate/module/file
## Steps to Reproduce
1. Step one
2. Step two
3. ...
## Proof of Concept
Code or commands to demonstrate
## Impact
What an attacker could achieve
## Suggested Fix
(Optional) How to fix it
```
---
## Response SLA
| Action | Timeframe |
|--------|-----------|
| Initial response | 24 hours |
| Severity assessment | 72 hours |
| Fix development | 7-30 days (severity dependent) |
| Reward payment | 14 days after fix |
| Public disclosure | 30 days after fix |
---
## FAQ
### Q: Can I test on mainnet?
**A:** No. Use testnet only. Mainnet exploitation will disqualify you.
### Q: What if I accidentally cause damage?
**A:** If you acted in good faith and reported immediately, we will not pursue action.
### Q: Can I publish my findings?
**A:** Yes, after the fix is deployed and disclosure period ends.
### Q: How are duplicate reports handled?
**A:** First valid report wins. Duplicates may receive partial reward for additional info.
### Q: What currencies do you pay in?
**A:** USDC, USDT, or SYNOR tokens (your choice).
---
## Hall of Fame
| Researcher | Finding | Severity | Date |
|------------|---------|----------|------|
| *Be the first!* | - | - | - |
---
## Contact
- **Security Team:** security@synor.cc
- **Immunefi Program:** [immunefi.com/bounty/synor](https://immunefi.com/bounty/synor)
- **Discord:** #security-reports (for general questions only)
---
## Legal
This program is governed by the Synor Bug Bounty Terms of Service. By participating, you agree to these terms.
Synor reserves the right to:
- Modify program terms with 30 days notice
- Determine severity classifications
- Withhold payment for policy violations
---
*Last Updated: January 2026*
Reference in a new issue View git blame Copy permalink