EOSIO

Available on:

  • EOS Mainnet
  • Worbli
  • WAX
  • EOSIO Testnet
  • CryptoKylin Testnet
  • Your own network

Ethereum (Alpha)

Available on:

  • Ethereum Mainnet
  • Ropsten

Solana

Coming soon...

dfuse Data Integrity Bounty Program

 

Background

NOTE: Security Issues are NOT in scope for this program, only data integrity issues

On the web today, it is commonly assumed that when you query a web service, the returned data is legitimate. However, with the kind of information that blockchains deal with -- financial, ownership, authorizations -- the decisions you make based on that data could have a material impact on your life or your business, so data integrity becomes critical.

While some people assume that open source software is more trustworthy, when you query a web-based service you don’t normally have any way of validating what is running there, or whether it has been tampered with. So the fact that a web service is supposedly running open source vs. closed source software is irrelevant -- neither gives you a reliable integrity guarantee. And if the service is a front-end to blockchain data, even the integrity guarantees provided by the blockchain protocol itself can be diluted by your use of an intermediary service

At dfuse, we believe it’s important that API services providing access to blockchain data provide real assurance to their users of the integrity of the data they serve up. And we believe that services should have skin in the game and put their money where their mouth is. This is why, today, we’re announcing the dfuse Data Integrity Bounty Program, along with our Data Integrity Proof Protocol.

Through this program, we are making a commitment to the integrity of the data available through the dfuse APIs. Here are the details.

Scope

NOTE: Security Issues are NOT in scope for this program, only data integrity issues

Endpoints in scope:

Qualifying Integrity Issues:

Any data that is part of the general consensus (anything hashed in a block) that is mis-reported by one of the dfuse endpoints listed above. For example:

  • Binary data (hex_data) from actions that does not match the action merkle root in the transaction traces.

  • Missing inline actions or missing data (unless such filtering is requested, e.g. through the GraphQL endpoint)

  • Any other meaningful discrepancies between dfuse output and general consensus data.

We further divide data integrity issues into two categories: high-impact and low-impact:

  • Example of low impact issue: mis-reported receipt.act_digest; that would not directly cause an erroneous decision.

  • Example of high impact issue: the data payload of an action reporting a different amount for an eosio.token::transfer; than the one agreed to by consensus.

We are offering bounties for reports identifying such issues, based on the following table. For scenarios that do not fall within one of the above categories, dfuse still appreciates reports that help us improve the service to our customers. As such, we may at our discretion choose to reward issues that are not in the categories defined above.

Rewards

Please note these are general guidelines, and that reward decisions are at the discretion of dfuse:

Min/Max

Low Impact

High Impact

Minimum

$100

$500

Maximum

$500

$1,000


Note that the scope of the program is limited to data integrity issues in dfuse software, as produced by our engineers, only; please do not try to hack into our platform, break into our offices, attempt phishing attacks against our employees, and so on.

Program Rules:

  • Please be wary of the volume of data you consume, so not to disrupt usage, cause a Denial of Service, or other harmful impacts

  • To qualify for the bounty, the integrity issue must be original and previously unreported.

  • After a fix was announced and released for a given issue, a new report can be submitted if new issues are found.

Reporting must be done through HackerOne, and be kept confidential until a fix is confirmed to be deployed by the dfuse team.

Reward Amounts:

  • Refer to the above table for the reward guidelines.

  • The final amount is always chosen at the discretion of the dfuse reward panel.

  • In particular, we may decide to pay higher rewards for unusually clever or severe integrity issues; decide to pay lower rewards for integrity issues that require unusual user interaction; decide that a single report actually constitutes multiple issues; or that multiple reports are so closely related that they only warrant a single reward.

  • For multiple integrity issues with one underlying root cause, where one fix can be applied to remediate, we will consider this as one integrity issue and only award once.

Investigating and reporting issues

Please do not engage in any activity that would be disruptive or damaging to your fellow users or to dfuse.

If you have found an integrity issue, please submit a report through the HackerOne Platform. Only issues reported through the Platform will be considered for the bounty. For other questions unrelated to this Program, please reach out through normal means such as our Telegram channel

Please include the following in your report:

  • Code used to call the endpoint, with surrounding initialization methods, with the exception of API key material

  • Endpoint and method called

  • Date and time of the requests

  • What you expected the data to be

  • One or more data points from non-dfuse sources that you used to compare the data References to block ids and transactions

  • The Data Integrity Protocol Proof we returned through the endpoint - See the documentation for details

  • Your name and country

Please be available to cooperate with our engineering team to provide further information on the issue if needed.

Please submit your report as soon as you have discovered a data integrity issue. dfuse will consider the maximum impact and will choose the reward accordingly. We may pay different rewards for otherwise well written and useful submissions where the reporter didn't notice or couldn't fully analyze the impact of a particular issue.

Please note that you will qualify for a reward only if you were the first person to alert us to a previously unknown flaw. We will update you on the progress of your report­ when it is accepted, validated, fixed and when the bounty is paid out.

Legal

You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.