Announcing the Aleo Bug Bounty Program

July 2023 Update

A little over a month ago, we announced our intent to launch a Bug Bounty Program in partnership with HackerOne and Bugcrowd. At the time of that announcement, we only had the option to submit reports through HackerOne via a private submission form. Aleo is now pleased to announce that our Bug Bounty Program is fully live on both platforms; ethical hackers can view our program pages on Bugcrowd and HackerOne.

All details of the program remain the same as before, which can be viewed on the program pages in the respective platforms or below in this blog post. Some key points to note are:

• The program scope currently only focuses on Aleo’s snarkOS and snarkVM repositories.

• Bounties will be paid based on severity of the bug. HackerOne Common Vulnerability Scoring System (CVSS) and BugCrowd Vulnerability Rating Taxonomy, respectively, will be used as a baseline to determine the severity of a bug, but in some cases the severity might deviate from these scoring systems.

• Aleo must remain compliant with OFAC programs, and thus cannot pay out bounties to residents in OFAC-sanctioned countries.

Again, Aleo is extremely proud to be partnering with Bugcrowd and HackerOne, two leaders in ethical hacking, for our inaugural bug bounty program. We look forward to seeing what contributions the Bugcrowd, HackerOne, and Aleo communities have for building a more secure Aleo ecosystem.

--

Aleo is committed to maintaining a security-first mindset. That’s why we’re excited to launch the Aleo Bug Bounty Program, designed to reward security researchers and white hat hackers who help us identify and report vulnerabilities within the Aleo core protocol. In collaboration with our partners at HackerOne and Bugcrowd, we aim to incentivize skilled developers worldwide to help strengthen the Aleo network. We have an initial reward pool of $500,000 USD for those eager to take on the challenge!

For this inaugural bug bounty program, we will focus on bugs related to our core protocol, specifically the snarkOS and snarkVM GitHub repositories. Since Aleo is currently in testnet, we want to identify and resolve severe vulnerabilities that would significantly impact the Aleo network. Addressing these issues before mainnet will ensure we proactively maintain the highest security standards. Over time the scope of this program will broaden to become more generalized, ensuring the ongoing security and improvement of the Aleo ecosystem.

We call upon security researchers and white hat hackers to join our mission of securing the Aleo ecosystem in anticipation of mainnet launch. By participating in the Aleo Bug Bounty Program, you can help make a meaningful impact on the platform’s overall security while gaining recognition and being rewarded for your valuable contributions.

Overview

This bug bounty program has launched on both HackerOne and we are working to launch on Bugcrowd soon. We're partnering with these platforms to broaden the talent pool of security researchers and white hat hackers that might want to participate in this program. Focusing on vulnerabilities within the snarkOS and snarkVM GitHub repositories, participants can currently submit bug reports via our bug bounty program page on HackerOne; the option to submit a report through Bugcrowd will come soon! For this program, we have an initial rewards pool totaling $500,000 USD. The amount of money you can receive per bug report submitted will vary depending on the severity of the identified vulnerability and its impact on the Aleo core protocol. 

Program Brief

The Aleo Bug Bounty Program is designed to encourage the discovery and reporting of vulnerabilities within the following AleoHQ GitHub repositories ONLY:

1. snarkOS

2. snarkVM

Bug reports submitted are considered in-scope if they produce a vulnerability that impacts either of these two repos. In general, our program scope is quite large. Participants who submit an accepted bug report will receive a USD reward according to the severity of the issue, as defined by HackerOne Common Vulnerability Scoring System (CVSS). Please note that, in some cases, prioritization/ratings may vary from this scoring system. On the program page, we outline specific examples of what constitutes a critical, high, medium, or low-severity bug. For more information, please check out the HackerOne submission page.

Below is a table outlining this program's various levels of bug severity, along with their associated reward ranges. The Aleo core team reserves the right to award an additional bonus for exceptional reports regardless of bug severity.

It is also possible that extraordinarily severe issues or those with disproportionate impact may be rewarded over $25,000. There is no limit to the amount that can be awarded in this case. It is at the discretion of the Aleo core team to determine the amount.

Here's how to participate

To participate in the Aleo Bug Bounty Program, follow these steps:

1. Identify a vulnerability that impacts the snarkOS and/or snarkVM GitHub repositories. 

2. Submit a bug report on Aleo's program page via HackerOne. a. You must create an account and follow their rules and guidelines. b. The submission page contains information on what is required to submit a valid bug report. Please make sure to follow these instructions.

3. Await review by our triage team. We will notify you of our assessment as soon as we can. Depending on the complexity of the bug report, this could take some time.

4. If a bug report is accepted as valid, you will be informed of the reward amount and paid using the banking information you provided when signing up on H1 or BC. 

The initial review for submitted bug reports will be conducted by our platform partners’ triage team. Following this initial review, members of the Aleo core team will conduct an in-depth assessment and determine the appropriate reward based on its severity. In the case of a duplicate bug report, the first person who reported the issue will receive the reward. Remember to stick to the program scope outlined on HackerOne, as any submissions outside this scope will not be considered. You can currently submit bugs through HackerOne, but we will soon have the option to submit bugs through Bugcrowd as well.

Relevant Links

• Aleo Developer Documentation

• snarkOS Github Repo

• snarkVM GitHub Repo

The success of Aleo depends on the vigilance and expertise of skilled contributors. This bug bounty program is a testament to our commitment to rewarding those who help us ensure the highest level of security for our users. 

Don't wait - head over to Aleo's bug bounty program page on HackerOne to learn more about the program scope, rules, and submission process. Together, we can build a more secure and reliable Aleo ecosystem.

Terms & Conditions

To claim a reward, you must complete KYC/AML and pass OFAC screening in accordance with Aleo's internal policies. If you fail to successfully complete the KYC/AML process, you will be automatically disqualified. When you sign up for HackerOne, you will automatically be required to complete this process.

You will also be required to abide by all terms and conditions outlined by HackerOne, as well as the Aleo Ecosystem Contributor Program Terms of Service.