Introduction
Ethos is committed to ensuring the security and reliability of our platform.
We encourage responsible disclosure of any potential vulnerabilities, and
recognize the importance of the community. To reward those who help us identify and fix vulnerabilities, we’ve created a Bug Bounty program.
Scope
The Bug Bounty Program encompasses all of our offerings, with an emphasis on new features. As an example, for the liquid staking, release, participants would be asked to test this feature extensively and write a brief report on their experience.
Bugs might also be as minor as a spelling or grammatical error, or UI/UX fixes. For example, a participant taps the back button, but is redirected to a screen other than the previous one.The goal is to be thorough and smash those bugs!
Rewards
Base reward: For every unique bug that hasn't been reported before, participants will be rewarded between 50 - 125 ETHOS tokens depending on severity.
Feature report: Select individuals will be chosen to test a feature early and write a report. The report should include detailed feedback even if there are no bugs identified. This reward will be greater than a single bug report, and participants will be rewarded with 300 ETHOS tokens.
Bonus reward: Additional bonuses may be provided based on the severity, impact, and quality of the bug report.
Bug leaderboard reward: For the top 3 bug reporters, there’ll be an additional reward.
Bug Reporting Process
Report structure:
Summary: A brief description of the issue.
Steps to reproduce: Detailed steps that could allow someone else to reproduce the issue.
Impact: Explanation of the potential impact of the issue on our platform and users.
Visuals: If applicable, include any screenshots or videos. showcasing the bug.
Bug section: Elaborate on the technical details of the bug.
Suggestions section: Provide any suggestions or possible fixes.
Overall impression: Share your overall thoughts on the tested feature.
Submission:
Reports should be submitted to our dedicated email: support@ethos.io
Guidelines
Testing: Perform testing only on the areas specified under scope. Any out-of-scope testing won’t be rewarded and could lead to legal actions. (See Out-of-scope below.)
Do No Harm: Do not exploit the vulnerability beyond the need to demonstrate it. Do not compromise or exfiltrate data, and do not interrupt our services.
Disclosure: Do not disclose the bug publicly before it has been resolved. Give our team reasonable time to fix the issue before discussing it publicly.
Duplicate reports: If the same bug is reported by multiple users, the reward will go to the user who reported it first.
Quality over quantity: We value quality reports over the number of reports. Spamming with multiple low-quality reports might disqualify you from the program.
Out-of-scope
Physical attacks or social engineering of our employees.
Denial of Service (DoS) vulnerabilities.
Issues that rely on compromising user devices or phishing attacks.
Eligibility
All bugs must be original and previously unreported.
The bug must be a direct vulnerability of our platform and not a result of user negligence or third-party apps.
Issues stemming from the underlying blockchains themselves (e.g., Ethereum, Bitcoin) are not in scope unless they specifically relate to our implementation.
Evaluation
Our team will review each submission, and the reward will be based on the severity and potential impact of the bug:
Critical: Directly compromising user funds or the overall integrity of the platform.
High: Could indirectly lead to fund compromise or significant data breaches.
Medium: Issues that could harm the user experience but aren't critical.
Low: Minor issues with limited impact.
Terms and Conditions
We reserve the right to decide if the bug qualifies for the reward.
Participants must comply with all applicable laws.
By participating, you agree to these terms.
Report Template Example
Platform: iOS (or Android)
Country of Residence: USA (or other)
Device Make & Model: iPhone 13 (or other)
App Version Installed: 1.1.1 (or other)
Ethos Vault Address: 0x________________
“I am experiencing this bug when trying to access the Vault. I was a TestFlight user and did not experience this issue on the TestFlight version. After restoring my vault to the App Store version, I have not encountered any other issues except for this JSON Parse error as pictured below. I restored the vault using the Safe Words rather than the 24 Words. It appears to happen every time I attempt to access the vault, not just some of the time. I have not made any other changes to the way I use my device so I believe this is a technical error within the app. Please see the screenshot attached below.”
---------------------------------------------------------------------------------------------------------------------------------------
Conclusion
Your assistance in identifying vulnerabilities is invaluable to us. Together, with your help, we aim to stand by our slogan of, “No compromise crypto,” where ease of use meets the highest standard of security for our users.
Thank you for participating in the Ethos Bug Bounty program.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article