We are thrilled to announce that the xHumanity Bug Bounty program is about to kick-off!
Our highest priority is the security and efficiency of all xHumanity solutions. That’s why we are offering an opportunity to our community members to submit your inputs for scaling the security of the platform.
RewardsxHumanity shall use the CVSS vulnerability scoring system to assess the severity of the bugs that you hunt. The reward fund shall be divided by threat level as specified below:
● Critical Threat level (CVSS 9.0–10.0)
✔ Total fund of 1,000,000 XDNA for this level to be split between a maximum of 5 winners
● Major Threat level (CVSS 7.0–8.9)
✔ Total fund of 700,000 XDNA for this level to be split between a maximum of 5 winners
● Medium Threat level (CVSS 4.0–6.9)
✔ Total fund of 400,000 XDNA for this level to be split between a maximum of 5 winners
● Low Threat level (CVSS 1.0–3.9)
✔ Total fund of 100,000 XDNA for this level to be split between a maximum of 5 winners
Please note that if there are no winners at some of the levels, the level’s reward fund will not be divided between other levels’ winners. Instead, it will remain unused.
On the other hand, if we receive more than 5 great applications within one level, we may provide an extra prize of up to 500,000 XDNA for those who do not get rewards from the core reward fund outlined above.
Program DurationThe Bug Bounty shall begin on the 12th of February 2022 and is scheduled to end on the 28th of February 2022.
Winners shall be picked by March 1st and the rewards shall be airdropped in the winners’ wallets in the following days.
Scope of the ProgramIn scope for the xHumanity Bug Bounty program are the majority of the smart contract components that have been published on xHumanity Github to date. They can be found in the following repositories:
xHumanityRO/xHumanity-mvp (github.com)
xHumanityRO/NFT (github.com)
Also tests for MVP application are included, which can be accessed at:
https://s9t.xhm.ro:8080/Areas of InterestThese are some of the bugs and vulnerabilities that we are especially interested in:
• Logic Errors
• Congestion and scalability
• Cryptography issues
• Missing access controls/unprotected or debugging interfaces
• Token manipulation
• Liquidity exploits
Out of Scope• Attacks that the hunter has identified and exploited, leading to damages
• Attacks requiring access to leaked key and credentials
• Lack of liquidity
• Best practices, opinions and critiques
• Sybil attacks
The following activities shall result in disqualification:• Phishing or social engineering attacks against the xHumanity users or team
• Testing with malicious or third-party systems or websites such as browser extensions, advertising networks, or SSO providers
• Denial of service attacks
• Automated or bot testing that generates heavy traffic
• Public disclosure of unamended or unpatched vulnerabilities
TermsOnly those vulnerabilities that are original should be awarded a bounty. Meaning in case of a duplicate report or two users reporting the same bug, the fastest user who submitted the report FIRST shall be awarded.
Public disclosure of the vulnerability, before the xHumanity team resolves it without explicit consent from the team, will make the bounty hunter ineligible for further participation.
Reporting A VulnerabilityAny vulnerability or bug discovered should be reported only to the xHumanity team at
[email protected] . Bounty hunters should not disclose the vulnerability or the bug policy to another party before contacting the xHumanity team. Please ensure that you disclose the bug to the xHumanity team as soon as you discover it since speed matters!
In order to help us grasp the full context of the bug or vulnerability, we would appreciate it if you include as much information as possible in your mailers.
Some of the topics that you can touch upon are:
● Steps needed to reproduce the bug.
● The potential impact of the vulnerability identified.
Overall, the more detailed is your vulnerability report, the higher your chances of receiving the rewards! So make sure to include as many details as you can.
Good look to all the participants!
Finally, we would like to wish all our community members the best of luck with this program. We are glad to have you on board, assisting in maintaining the well-being and prosperity of the xHumanity platform and all users.
As usual, if you have any questions regarding the xHumanity bug bounty program, please type your queries in the official xHumanity Telegram Chat.
Website: https://xhumanity.org/Telegram: https://t.me/xhumanityofficials