Vulnerability Reporting

Earn up to USD $10,000 equivalent of DXN for each qualified vulnerability submitted

Introduction

  • DEXON is the next-generation Distributed Ledger Technology with security as its top priority. DEXON recognizes the importance of security research in keeping the platform and users’ assets safe. Hence, we encourage responsible disclosure of security vulnerabilities on the DEXON network through the bug bounty program as described below.
  • Responsible Disclosure

    • Providing us with a reasonable amount of time to fix the issue before publishing it elsewhere.
    • Ensuring that efforts will be done in good faith to not leak or destroy any DEXON’s user data.
    • Not defrauding DEXON’s users or DEXON itself in the process of discovering these vulnerabilities.
    • To promote responsible disclosure, the DEXON team will not take legal action against researchers who identify a problem, provided that the researchers follow the guidelines as stated above.

    Service Level Agreement

    • Time to first response (from report submission) - Within 5 business days.
    • Time to triage (from report submission) - Within 10 business days.
    • Time to bounty distribution (from triage) - Within 10 business days.

    Rules

    • Please provide a detailed report with reproducible steps. If the report is not detailed enough to reproduce the issue, it will not be eligible for a reward.
    • Submit one vulnerability per report unless you need to link the vulnerabilities to provide an impact analysis.
    • When duplicates occur, we will only award the first report received (provided information provided is fully reproducible).
    • Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.
    • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
    • Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts that you own or have explicit permission of.

    Rewards

    • Our rewards are based on the severity per CVSS (Common Vulnerability Scoring Standard). Please note these are general guidelines and the reward decisions are at the sole discretion of the DEXON Foundation.
    • Reward bracket:
      • Critical (9.0-1.0): USD $5,000 - $10,000 equivalent of DXN
      • High (7.0-8.9): USD $2,500 - $4,999 equivalent of DXN
      • Medium (4.0-6.9): USD $500 - $2,499 equivalent of DXN
      • Low (0.1-3.9): USD $100 - $499 equivalent of DXN
    • Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

    Scope

    Areas Of Interest

    • Node crashes via P2P protocol, HTTP RPC API or smart contract.
    • Break safety or liveness of consensus algorithm.
    • Turn a smart contract into an infinite loop.
    • Cause a smart contract to consume large amounts of memory (more than 64MB).
    • Trigger unauthorized actions on account(s).
    • Cause a smart contract to consume more gas than the maximum gas fee specified in the transaction.
    • Cause nodes to produce large amounts of network traffic (more than 10x).
    • DoS-style vulnerabilities will be considered provided that the attack is effective due to specific code issue in the abovementioned DEXON repo and no public mainnets are used for PoC. You may not use public mainnets to prove DoS attacks. All PoCs must be done against a testnet with the permission of stakeholders operating the intended testnet.

    Out-of-Scope Vulnerabilities

  • When reporting vulnerabilities, please consider (1) the attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out-of-scope:
    • 1. Vulnerabilities in the Ethereum code base are ineligible.
    • 2. Attacks that require controlling more than 1/3 of nodes.
    • 3. Spamming.
    • 4. Attacks requiring MITM or physical access to a user’s device.
    • 5. Previously known vulnerable libraries without a working Proof of Concept.
    • 6. Missing best practices in SSL/TLS configuration.
    • 7. Vulnerabilities in third-party applications which make use of the DEXON.
    • 8. Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim’s device(s).
    • 9. User existence/enumeration vulnerabilities.
    • 10. Reports from automated tools or scans (without accompanying demonstration of exploitability).
    • 11. Social engineering attacks against DEXON employees or contractors.
    • 12. Text-only injection in error pages.
    • 13. Any report found by building the DEXON software against non-x64-64 architectures are not valid.
    • 14. Wiki pages on Github are not valid.
  • Notice

    • DEXON Foundation will determine, at its sole discretion, whether a vulnerability is eligible for a reward and the corresponding amount of the reward. By submitting a bug, you agree to be bound by the rules mentioned above.
    • Thank you for helping keep DEXON Foundation and our users safe!

    Disclaimer

    • DEXON Foundation reserves the right to cancel any award(s) provided if the submission infringes or constitutes a misappropriation of any right of any third party.
    • All rewards will be paid in DEXON coin (DXN). The exchange rate between DXN and United States Dollar will be determined by DEXON Foundation according to the prevailing market conditions.
    Apply