Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⛰️Security Bounty Program #17

Open
oleganza opened this issue Feb 29, 2024 · 4 comments
Open

⛰️Security Bounty Program #17

oleganza opened this issue Feb 29, 2024 · 4 comments

Comments

@oleganza
Copy link
Contributor

oleganza commented Feb 29, 2024
edited
Loading

Tonkeeper security bounty program rewards researchers who identify and disclose vulnerabilities in the upcoming Wallet Version 5 ("W5") smart contract that is a candidate to become the industry standard in TON ecosystem.

How to report vulnerabilities

  1. Report your vulnerability publicly as an issue in our repository: https://github.com/tonkeeper/w5, or privately to [email protected] or https://t.me/oleganza.
  2. We do not reward disclosures of already known or previously reported issues.
  3. Multiple vulnerabilities caused by one underlying issue will be rewarded once.
  4. Security Bounty reward payments are made at our sole discretion and are based on the type of issue, the level of access or execution achieved, and the quality of the report. A high-quality research report is critical to help us confirm and address an issue quickly, and could help you receive a Security Bounty reward.
  5. We reserve the right to amend the awards and categories at any time. The bounty offer is valid as of Feb 23, 2024 and may be terminated or rephrased at a future date when the project evolves from its current state.

Top Category

Reliable loss of funds with no or little user interaction.

Reward: 5000–10000 TON

Example: tricking the wallet to perform actions that user did not authorize, or forcing the wallet to enter inconsistent state that prevents access to the funds bypassing any reasonable checks in the user agent.

Medium Category

Limited access to funds or confidential data, not reliable or requiring substantial user interaction.

Reward: 1000–2500 TON

Example: tricking a user to sign a transaction that spends funds differently from what the wallet showed in the confirmation screen.

Low Category

Low probability attack vectors and potential issues beyond explicit design choices.

Reward: 250–500 TON

Out of scope

  • Issues in prior versions of the contract (before fa1b372),
  • issues in documentation are not considered vulnerabilities,
  • issues due to a fault outside the scope of the wallet contract code and its immediate toolchain and libraries,
  • risks due to explicit design choices, such as attaching a malfunctioning extension and disabling public key auth check.
@oleganza oleganza changed the title Security Bounty Program ⛰️Security Bounty Program Feb 29, 2024
@oleganza oleganza pinned this issue Feb 29, 2024
@Arte170399
Copy link

@duythuan1234 duythuan1234 mentioned this issue Sep 15, 2024
Closed
@duythuan1234
Copy link

  • #

@Asai123-stake
Copy link

UQDZoiZKMnxFvXt6uT3ikrNfQAhkxi4Ltp2b-vz6FfOgg5kK
Help me please 🙏🥺 I need toncoin

@duythuan1234 duythuan1234 mentioned this issue Nov 6, 2024
Open
@mhranpp
Copy link

mhranpp commented Nov 26, 2024

UQCHtfnVHP-y7RvxtcBtGGLn3EtcRmA8wMyj5nLUR7B5LDfx

@Porya281 Porya281 mentioned this issue Dec 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@oleganza @mhranpp @duythuan1234 @Asai123-stake @Arte170399