The Bounty Program is to enable developers to better participate in the development and construction of the QTUM main network and peripheral applications with the help of the community, so that QTUM remains safe, efficient, and meets the needs of more industry users.
It will not apply to the Bounty Program if there has been a similar issue or the Qtum team has known and is solving the bug.
Responsible Disclosure: no bounty will be rewarded if the reporter discloses the vulnerability publicly before the bug fix has been deployed.
Please fork the code to your own repository, fix the bug, and then submit pull request. It will formally be merged into the main branch after Qtum members' review.
The Qtum team members are employed by Qtum Foundation. They will not receive any bounties if they participate in bug repair process directly or indirectly.
The Bounty Program is to solve the technical problems of Qtum core products and improve product robustness. Qtum website, forum, organizational structure and so on are not included.
The bonus of Bounty Program is related to many factors, such as workload, incidence, severity, etc. The specific amount of Bounty Program is based on the conclusions of QTUM security team. QTUM security team reserves the right of final explanations for Bounty Program.
Please note that these are guidelines, final decisions regarding eligibility of issues are at the sole discretion of the Qtum Foundation. If you find any issue that does not fit in this scope but you still believe to be a security issue, we encourage you to report it. We are primarily looking for exploitable software bugs in the release version of the core code that cause one of the following:
The primary factor for determining the reward for an eligible submission is the severity of the issue evaluated using the OWASP risk rating model
*Qtum team makes the bug rating and reserves the right of final explanations.
|Bug Level||Submit with solution||Submit only|
Note: The currency is US dollars
Reported materials (15%):
Complete the report materials. Please refer to the application template link for details. All submitted materials should be in English.
Code repair (40%):
Finish the code repair and do not introduce new problems. If new problems are introduced, they should be resolved in the same submission.
Automated test script coverage or manual test method description (15%):
Automated test scripts play an extremely important role in the continuous integration of code and quality control under rapid iterations, so the improvement of automated test scripts will be an important indicator:
|Provide automated test scripts||100%|
|Provide manual test instructions||60%|
Repair time and efficiency (15%)
The repair time means the duration from the time when the Issue report is confirmed to the time when the repair code for bugs is merged into the codebase. QTUM security team will confirm the bug feedback messages and negotiate with the developer and explicitly indicate the expected repair time.
|Completed within the expected time||100%|
|Within 150% of the expected time||70%|
|More than 150% of the expected time||50%|
Introduction of repair ideas and methods and improvement of documents (15%) ：
We expect complete technical materials and documents.
Reporter visits the bug report page to submit bug details.
(Status: Pending review)
Within one working day, the QTUM security team will confirm the bug report, follow up the evaluation of the issue, and feedback the intelligence to the reporter (Status: Review).
Within three working days, the QTUM technical team will deal with the issue, draw conclusion, and give the expected completion time (Status: Confirmed/Ignored). If necessary, we will communicate with the reporter to confirm, ask the reporter to assist, and inform the developer of the evaluation result after completing assessment.
Complete test scripts, manual test instructions, repair ideas, and improvements of documents as required.
QTUM security team reviews the author's material integrity and repair completion level, and then issues a reward (Status: Closed)