Unchained Capital ETH Multisig Vault Bounty Program:
Unchained Capital believes that cryptocurrencies and multisignature custody can be among the safest ways to store wealth.
When we sought to deploy our own multisig Ethereum contracts to support lending against ETH as a form of collateral, we carefully considered how to design the safest implementation from first principles to be the best stewards of our customers’ collateral.
On March 8, 2018, Unchained Capital open-sourced its multisig Ethereum smart contract. We are running a bug bounty program around the smart contract release as detailed below.
In doing so, we hope to work with security researchers and the community to help make the Ethereum ecosystem safer by collaborating on testing, vulnerability identification, and progressive enhancements of the project.
Scope of the Bug Bounty:
The Solidity contracts of Unchained Capital’s multisig smart contract implementation. While we appreciate bug reports, the reference dApp and ancillary items such as command-line scripts and unit tests are excluded from the multisig bounty program.
Similar to the Ethereum foundation’s bounty program, Unchained Capital will use the OWASP’s Impact and Likelihood risk framework to help in evaluating bounties. All bounties and awards will be subject to the sole discretion of the Unchained Capital team.
Unchained Capital’s multisig bounty program has an award pool of up to $150,000.
Accepted bounties are awarded based on the following size guidelines -
- Critical: up to $50k
- High: Up to $30k
- Medium: Up to $20k
- Low: Up to $5k
- Note: Up to $1k
Bounty Rules and Guidelines:
- Bounties are awarded on a first-report basis.
- Responsibly disclose.
- Do not try to actively exploit vulnerabilities and security issues that are found.
- Do not publicize details of vulnerabilities until after confirmation and approval from the Unchained Capital team.
- Non-security issues are not eligible. Although feedback is welcome!
- Social engineering of the Unchained Capital team is not within scope.
- Evaluations of eligibility, severity, and all terms related to a bounty and award are at the sole and final discretion of the Unchained Capital team.
- E-mail bounty reports to firstname.lastname@example.org
- Our PGP key can be found here.
- Comprehensively report bounties with detailed descriptions of the vulnerability or security issue, reproduction steps, supporting artifacts, and suggested fixes (if any).
- Please note: Quality of the report is considered in determinations of awards.
- Follow Responsible Disclosure and other guidelines as per above.
- Issues can be submitted anonymously.
- Rewards can be paid in ETH (at market rates). Please include a single ETH address to which the reward should be sent if your report and issue are accepted.
Unchained Capital’s team will evaluate all reports through the following steps:
- Triage, validate, and analyze vulnerability reports
- Communicate with bounty reporters
- Evaluate and disburse bounties
- Analyze vulnerability root cause and develop fix or mitigation plan
- Disclose and update the Community