This bug bounty program focuses on the Internet Computer Protocol and core Internet Computer components and canisters.
The Internet Computer Protocol is a distributed protocol run by multiple nodes that constitutes the Internet Computer blockchain network platform. The protocol documentation and specs can be found here. In order to get a good overview of the Internet Computer and to get started with it please see here.
Source code: The Internet Computer Protocol (ICP)
All the aspects of Internet Computer behavior are governed by the community of enthusiasts and users of Internet Computer through a democratic governance system called the Network Nervous System (NNS). A high-level introduction to the operation of the system can be obtained from this quick video and this medium post.
The NNS front-end Dapp is a dapp that provides a user-friendly way to interact with the Internet Computer’s governance system. With it, you can:
The Internet Identity is an anonymous blockchain authentication framework supported by the Internet Computer. It builds on Web Authentication (WebAuthn) API supported by modern web browsers and operating systems, and the "chain key cryptography" framework that powers the Internet Computer. Here is the quick start guide to Internet Computer and also check out the following video.
The documentation for tools and development kits to assist with development in Internet Computer can be found here. Motoko is the native language of Internet Computer that simplifies the development of smart contract canisters.
One of the major component of the Internet Computer infrastructure are the boundary nodes. The boundary nodes sit on the perimeter and act as a gateway into the Internet Computer platform. Here is the list of boundary node domains:
In addition to the boundary nodes there are additional infrastructure assets that support the operations of the Internet Computer. Here is the list of the domains:
All public websites and 3rd party Dapps are out of scope for this bug bounty program. You can report issues but we don’t provide rewards.Submit informational bug
Once a submission has been made, Dfinity Foundation will respond within the first 72 hours. All valid security bugs will be handled in accordance with the Security Patch Policy and will trigger an internal incident response process. We will keep you updated and work with you through the process. Once the security bug has been resolved a communication will be made to the community describing the Incident where we will provide an acknowledgment for your efforts and soon follow it up with the rewards.
The attack is easy to perform at a low cost and has a severe global impact.
Disclosure of subnet key shares, Compromise of the integrity of the consensus process, for example, insertion of an arbitrary block into the blockchain, RCE in internal networks, memory underflow/overflow issues resulting in theft or illegal minting of exorbitant ( > $1M) amount of ICPs/Cycles
The attack is relatively straightforward but may have additional constraints that may affect the ease or cost of the attack to a certain degree but still with a significant impact.
A vulnerability that induces unauthorized access to neurons (access control bypass) but requires significant amount of work per neuron, memory corruption of canisters resulting in loss of integrity but constrained by a limiting factor such as being expoitable only on canisters with certain pre-existing properties
The attack is difficult to perform, requires significant technical know-how and cost or the target may have to satisfy strict requirements in order to make a significant impact. Also, the attack that is simpler to perform but with moderate impact falls under this category.
Memory corruption resulting in the crashing of replica process, Client-side vulnerability that allows stealing of credentials or keys from the client (ex, browser) by manipulating the user
The attack that is very difficult to perform or has a minor impact falls under this category.
A bug resulting in an attacker controlling what is displayed to the user without the affecting the server side data, UI redress, a bug that is not demonstrably exploitable but could be exploitable with more research
You can report issues but we don’t provide rewards.
Make sure at every stage of the onboarding process that your wallet address and associated email address are entered correctly to avoid any delay. As a reminder, DFINITY is not responsible for your asset custody nor will it be held accountable for any loss of your ICP distributed to you in the ICP wallet address you have provided.
If you have any questions regarding your KYC application or obtaining your ICP wallet address, please contact DFINITY Support.