Golem Bug Bounty Competition—Yagna edition

Golem Factory GmbH has created a new implementation of the Golem Network. We’re introducing a Bug Bounty for the Golem Network implementation—Yagna.

Keep in mind that some reports might not fall within the criteria to be included in this Bug Bounty. For general feedback, we also have the GLM Rewards Program with the Feedback category.

A. Introduction

We invite our community to join our Yagna Bug Bounty Competition (the “Competition”). Please have a look at the content below before starting your hunt.

The individual reward for which an accepted bounty qualifies will depend upon the amount and quality of all bounties submitted and accepted into the Competition. The bounty pool will be available until June 30th, 2021.

For each bounty application, you will need to submit a separate application via email (contact@golem.network with the subject “BUG BOUNTY REPORT”). The form is simple, quick to complete, and will assist us in determining the fairest way to distribute the rewards (see appendix 1).

By submitting a bounty application, you agree to the terms and conditions set forth herein. We have prepared some examples, so please keep them in mind when considering to participate in the bug bounty that these examples are along the lines of a submission (section E).

B. Bug Categories

Golem Bug Bounty Competition is focused on a wide variety of issues related to the overall security of Golem, in particular (but not limited to) functioning of the Yagna application and the network protocol. For more specifics, please see Section 2: Other variables, Quality of reproducibility.

Please note that the Bug Bounty competition is only subjected to SECURITY BUGS. Also note that the website (https://golem.network/ and blog), local host attacks, Man in the Middle (MitM) attacks and DDoS attacks aren’t covered by this bug bounty.

C. General Rules

  • Issues that have already been submitted by another user or that are already known to the bug bounty team of Golem Factory GmbH are not eligible for rewards.
  • Public disclosure of an issue makes it ineligible for a reward. Instead, issues should be reported to contact@golem.network with the subject “BUG BOUNTY REPORT”.
  • You can start (or fork) a private chain for bug hunting. Please respect the Ethereum mainnet and testnets and refrain from attacking the networks.
  • Golem Factory GmbH development team, employees and all other people with any professional connection to Golem, are not eligible for rewards.
  • Golem Factory GmbH affiliated websites (in particular golem.network) or infrastructure in general are not part of the Competition.
  • Rewards are, by definition, voluntary and cannot be used as precedents for future rewards.
  • The Competition considers a number of variables in determining rewards. The determination of whether or not a reported issue qualifies for a reward, the severity of the issue, the size of a reward, and all other terms related to a reward are at the sole and final discretion of the bug bounty team of Golem Factory GmbH.
  • Golem Factory GmbH can cancel the Bug Bounty Competition any time.

D. Reward Determination Guidelines

The determination of a reward to be paid out will vary depending on severity and other variables, at the full discretion of Golem Factory GmbH, using the guidelines set forth below.

1. Size of rewards

We will be following a standard in Risk Analysis and OWASP risk rating for our analysis for reported bugs:

OWASP Risk Rating Model

Critical/High: up to 11,900 USD (or USD equivalent), limited to bug bounty pool

Medium: up to 4,800 USD (or USD equivalent)

Low: up to 1,300 USD (or USD equivalent)

Golem Factory GmbH reserves the right to change the above rate without prior notice and without the possibility of recourse. Please also note that since this guideline is non-binding, USDC allocations are in the end determined at the sole discretion of the bug bounty team of Golem Factory GmbH and all reward decisions are final.

2. Other variables

In addition to severity, other variables are also considered when the bug bounty team of Golem Factory GmbH determines the reward to be paid, including (but not limited to):

  • Quality of description: Higher rewards are paid for clear, well-written submissions. This makes it easier for us to quickly understand the scope and severity of the submitted issue.
  • Quality of reproducibility: Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward. Please see the following repos for where a reward will be considered finding a vulnerability: yagna, ya-service-bus, ya-runtime-vm, ya-runtime-wasi, ya-client, yapapi, yajsapi.
  • Quality of fix, if included: Higher rewards are paid for submissions with a clear description of how to fix the issue.

E. Examples

We’ve prepared a list of examples to help you get started on your bug bounty hunting. The bug bounty program is not purely limited to the examples below but rather a list to guide you in the right direction on ideas on what you could hunt for.

Funds Security

Demonstrate a way to:

  • Sign a message/transaction using another node's private key (this includes making an arbitrary transfer)
  • Corrupt/delete another node's wallet/private key
  • Steal another node's private key
  • Redirect a payment made by a requestor meant for another provider to instead be sent to your own wallet
  • Cause a requestor to grossly overpay for transaction fee
  • Get paid by a requestor without doing any work
  • Get paid more than agreed for a task
  • Get paid with mainnet GLM for a testnet task
  • Get paid twice (or more) for the same invoice
  • Trick a provider to mark an invoice/debit note as settled without paying it

Exeunit / Provider Security

Demonstrate a way to:

  • Perform a remote attack showing that you can use the exposed provider to gain control of the machine
  • Escape the exeunit environment and be able to read the external machine filesystem.
  • Freeze / render the machine useless by sending a specific exeunit payload

Requestor Security

Demonstrate a way to:

  • Perform a remote attack showing you can gain control of or freeze / render a requestor machine useless
  • Perform a remote attack that would corrupt the functioning of the requestor agent on the requestor's machine (in a wider scope that the interactions with the attacking node)
  • Perform a remote attack that would corrupt the requestor's interactions (in terms of scoring or direct communications) with other providers
  • Draft a response or a result that would allow you to tamper with the results provided by the other providers

Yagna  Daemon Security

Demonstrate a way to:

  • A remote attack showing you can use the exposed yagna server to gain control of the machine
  • Freeze / render the machine useless (DDoS attack not included)
  • Perform a remote attack that would stop the yagna daemon or one of its components (gftp, etc) from working correctly (in a wider scope than just breaking the correct interactions with the attacking node)

Decentralised Marketplace Failure

Demonstrate a way to:

  • Crash the Market Resolver on certain demand/offer pair
  • Demonstrate a way to create/craft demands/offers that would render the **Market unusable**
  • Abuse of the (internal) Market Protocol, to eg. impersonate other node (eg. negotiate and sign an Agreement as some1 else)
  • Create of the activity on behalf of other node which actually negotiated Agreement
  • Craft Offer/Demand pair which passes matching despite it shouldn't

VM Repo Server Security

Demonstrate a way to:

  • Cause an image within the Golem Image Repository service to be removed, corrupted or changed in an unauthorized manner

Golem Bug Bounty Competition is an experimental and discretionary reward program aimed at encouraging and rewarding improvement of Golem. By participating in the Competition, you acknowledge that Golem Factory GmbH can cancel the program at any time, and rewards are paid at the sole discretion of the bug bounty team of the Company. In addition, the Company is not able to issue rewards to individuals who are on the US, Swiss, European (or other) sanctions lists or who are citizens of sanctioned/embargoed countries (eg. North Korea, Iran, Syria, Cuba, etc). The transfer of a reward thus may be made subject to a prior and successful KYC-check of the participant. All recipients of any bounty tokens are responsible for all taxes under their respective jurisdictions and situations. All rewards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.

Any disputes arising out of or in connection with the Bug Bounty Program shall be exclusively decided by the ordinary courts of the city of Zug, Switzerland and in accordance to Swiss law.

Please make sure you read our Privacy Policy.

Note: Golem Factory reserves the right to reply to bug bounty messages in a period of more than 24 hours. We are reading everything, yet have to prioritise some reports over others.