misaradmin/synor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
synor/docs/BUG_BOUNTY.md
Gulshan Yadav 1606776394 feat: Phase 7 critical tasks - security, formal verification, WASM crypto 
## Formal Verification
- Add TLA+ specs for UTXO conservation (formal/tla/UTXOConservation.tla)
- Add TLA+ specs for GHOSTDAG ordering (formal/tla/GHOSTDAGOrdering.tla)
- Add mathematical proof of DAA convergence (formal/proofs/)
- Document Kani verification approach (formal/kani/)

## Bug Bounty Program
- Add SECURITY.md with vulnerability disclosure process
- Add docs/BUG_BOUNTY.md with $500-$100,000 reward tiers
- Define scope, rules, and response SLA

## Web Wallet Dilithium3 WASM Integration
- Build WASM module via Docker (498KB optimized)
- Add wasm-crypto.ts lazy loader for Dilithium3
- Add createHybridSignatureLocal() for full client-side signing
- Add createHybridSignatureSmart() for auto-mode selection
- Add Dockerfile.wasm and build scripts

## Security Review ($0 Approach)
- Add .github/workflows/security.yml CI workflow
- Add deny.toml for cargo-deny license/security checks
- Add Dockerfile.security for audit container
- Add scripts/security-audit.sh for local audits
- Configure cargo-audit, cargo-deny, cargo-geiger, gitleaks
2026-01-10 01:40:03 +05:30

5.7 KiB
Raw Blame History

Synor Bug Bounty Program

Overview

The Synor Bug Bounty Program rewards security researchers who discover and responsibly disclose vulnerabilities in the Synor blockchain protocol and its implementations.

Program Status: Active Platform: Immunefi

Scope

In-Scope Assets

Asset Type Severity
synor-consensus Smart Contract/Protocol Critical
synor-crypto Cryptography Critical
synor-vm Smart Contract VM Critical
synor-network Protocol/Network High
synor-dag Protocol Logic High
synor-rpc API/Web Medium
synord (node) Infrastructure Medium
Web Wallet Web/App Medium
Explorer Web/App Low

In-Scope Vulnerabilities

Critical (Blockchain/DeFi)

  • Double-spending attacks
  • Consensus manipulation
  • Unauthorized minting/burning
  • Private key extraction
  • Signature forgery
  • Eclipse attacks
  • 51% attack vectors

High

  • Denial of service (network-level)
  • Memory corruption
  • Integer overflows affecting security
  • Cryptographic weaknesses
  • Smart contract reentrancy
  • Cross-contract vulnerabilities

Medium

  • RPC authentication bypass
  • Information disclosure
  • Transaction malleability (non-security)
  • Rate limiting bypass

Low

  • UI/UX vulnerabilities
  • Information leakage (non-sensitive)
  • Best practice violations

Out of Scope

  • Attacks requiring physical access
  • Social engineering (phishing, etc.)
  • Denial of service via resource exhaustion (without amplification)
  • Third-party dependencies (report to upstream)
  • Issues in test networks (unless exploitable on mainnet)
  • Known issues listed in GitHub Issues
  • Theoretical attacks without PoC

Rewards

Severity Reward (USD) Examples
Critical $50,000 - $100,000 Double-spend, key extraction, consensus break
High $10,000 - $50,000 DoS, memory safety, crypto weakness
Medium $2,500 - $10,000 Auth bypass, info disclosure
Low $500 - $2,500 Minor issues, best practices

Reward Factors

Rewards are determined by:

  1. Impact - What can an attacker achieve?
  2. Likelihood - How easy is exploitation?
  3. Quality - Report clarity and PoC quality
  4. Originality - First reporter, novel technique

Bonus Multipliers

Factor Multiplier
Working PoC +25%
Suggested fix +10%
Mainnet-ready exploit +50%
Novel attack vector +25%

Rules

Eligibility

  • You must be the first to report the vulnerability
  • You must not have exploited the vulnerability
  • You must not disclose publicly before fix is deployed
  • You must comply with all applicable laws
  • Synor team members are not eligible

Responsible Disclosure

  1. Report - Submit via Immunefi platform
  2. Confirm - We acknowledge within 24 hours
  3. Triage - We assess severity within 72 hours
  4. Fix - We develop and test a fix
  5. Deploy - Fix is deployed to production
  6. Disclose - Public disclosure after 30 days (or sooner if agreed)
  7. Reward - Payment processed within 14 days of fix deployment

Good Faith

We will not pursue legal action against researchers who:

  • Act in good faith
  • Do not access user data
  • Do not disrupt services
  • Report promptly
  • Do not demand payment beyond program terms

How to Report

Via Immunefi (Preferred)

  1. Go to immunefi.com/bounty/synor
  2. Click "Submit Report"
  3. Fill out the vulnerability details
  4. Include PoC if possible
  5. Submit and wait for acknowledgment

Via Email (Alternative)

If Immunefi is unavailable:

Email: security@synor.cc PGP Key: [link to key]

Include:

  • Vulnerability description
  • Steps to reproduce
  • Impact assessment
  • Your wallet address (for payment)

Report Quality

A good report includes:

## Summary
Brief description of the vulnerability

## Severity
Your assessment (Critical/High/Medium/Low)

## Affected Component
Which crate/module/file

## Steps to Reproduce
1. Step one
2. Step two
3. ...

## Proof of Concept
Code or commands to demonstrate

## Impact
What an attacker could achieve

## Suggested Fix
(Optional) How to fix it

Response SLA

Action Timeframe
Initial response 24 hours
Severity assessment 72 hours
Fix development 7-30 days (severity dependent)
Reward payment 14 days after fix
Public disclosure 30 days after fix

FAQ

Q: Can I test on mainnet?

A: No. Use testnet only. Mainnet exploitation will disqualify you.

Q: What if I accidentally cause damage?

A: If you acted in good faith and reported immediately, we will not pursue action.

Q: Can I publish my findings?

A: Yes, after the fix is deployed and disclosure period ends.

Q: How are duplicate reports handled?

A: First valid report wins. Duplicates may receive partial reward for additional info.

Q: What currencies do you pay in?

A: USDC, USDT, or SYNOR tokens (your choice).

Hall of Fame

Researcher Finding Severity Date
Be the first! - - -

Contact

Legal

This program is governed by the Synor Bug Bounty Terms of Service. By participating, you agree to these terms.

Synor reserves the right to:

  • Modify program terms with 30 days notice
  • Determine severity classifications
  • Withhold payment for policy violations

Last Updated: January 2026