Bytom Safety ProjectScope of BusinessBytom Blockchain BVM Security (
https://github.com/Bytom/bytom)
Protocol Layer Security (
https://github.com/Bytom/bytom)
Consensus Layer Security (
https://github.com/Bytom/bytom)
Serialization Security (
https://github.com/Bytom/bytom)
Network Layer Security (
https://github.com/Bytom/bytom)
Local Wallet Security (
https://github.com/Bytom/bytom)
Web Wallet Security (
https://github.com/Bytom/bytom-dashboard)
Private key Management Security (
https://github.com/Bytom/bytom)
Processing FlowReporting Stage
Any bug,send email to contact@Bytom in format of 【Bytom Safe】
Processing Stage
Within three working days, the Bytom Blockchain technical team will deal with the problem, draw conclusions and record points (status: confirmed / ignored). They will communicate with the reporter if necessary, and ask the reporter for assistance.
Repairing Stage
1.The Bytom Blockchain business department shall repair the security problems in the threat intelligence.The repairing timeframe depends on the problem severity and the repair difficulty. Generally speaking, it is within 24 hours for the critical and high-risk problems, within 3 working days for the medium-risk problems, and within 7 working days for the low-risk problems. The App security issue is limited by the version release, and the repairing timeframe is on a case-by-case basis.
2. The reporter will review whether the security problem has been repaired.
3. After the reporter confirms that the security problem is repaired, the Bytom Blockchain technical team will issue rewards.
Vulnerability Level and Reward Standards
Remark: the final award depends on the severity of the vulnerability and the true impact of the vulnerability, the values in the table are the highest rewards for each level.
Level
Critical VulnerabilitiesA critical vulnerability refers to the vulnerability occurs in the core business system, it can cause a severe impact.
It is including but not limited to:
Smart contract overflow, conditional competition vulnerability, double spend and consensus layer vulnerability
Communication layer attacks other nodes with a large area of DDoS at a small cost
High-risk Vulnerabilities
Invade the server through the Bytom Blockchain full-node program to gain control permissions
Unauthorized operation that involves money, payment logic bypassing (need to be successfully utilized)
Medium-risk Vulnerabilities
General unauthorized operation. It includes but is not limited to modify user data and perform user operation by bypassing restrictions
Denial-of-service vulnerabilities. It includes but is not limited to the remote denial-of-service vulnerabilities caused by denial-of-service of web applications
The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively
Low-risk Vulnerabilities
Local denial-of-service vulnerabilities. It includes but is not limited to the client local denial-of-service (parsing file formats, crashes generated by network protocols), problems that are caused by Android component permission exposure, general application access, etc.
General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc