Aragon token sale bug bounty

Aragon

• Aug 5, 2020 • 2 min read

We're excited to announce that we are conducting a bug bounty in advance of the Aragon Network Token sale. We believe bug bounties are essential to ensuring a safe release, and are especially important when cryptocurrency is being exchanged. This post will provide more details on our bug bounty program scope, the timeline, and compensation.

Program Scope

The scope of our bug bounty program includes all contracts related to the Aragon token sale and the Aragon Network Token code.

Specifically, the bug bounty program will encompass:

all Solidity contracts in our GitHub contracts directory, and
Zeppelin's SafeMath contract.

For more information about the sale, see our detailed GitHub document on the sale flow.

Timeline

As of this post, the bug bounty program is considered started and valid reports of bugs will be compensated moving forward. The bounty program will continue even after the token sale.

Compensation

We are using the OWASP risk assessment methodology to determine the bug's level of threat to the sale.

Note: Up to $100 USD

Low: Up to $500 USD

Medium: Up to $1,000 USD

High: Up to $2,500 USD

Critical: Up to $5,000 USD

Example:

An attack identified that could steal raised funds would be considered a critical threat.

If there was a way for someone to spend more tokens than owned or to mint their own ANT, the bug would be considered a high threat.

Please note that the submission's quality will factor into the level of compensation. A high quality submission includes an explanation of how the bug can be reproduced, a failing test case, and a fix that makes the test case pass. High quality submissions may be awarded amounts higher than the amounts specified above.

Note that bounties will be paid in ETH and that Aragon team members and paid auditors are not eligible for bounty compensation.

Reporting

Public disclosure of the bug or indication of an intention to exploit it on the mainnet will make the report ineligible for a bounty.

If in doubt about other aspects of the bounty, most of the Ethereum Foundation bug bounty program rules will apply.

Please report bug bounty submissions to security@aragon.one.