Introduction

The Credits team software developers is interested in ensuring the reliability and security of the Credits platform for its customers. We are launching a program that offers you recognition and a decent reward for found errors and vulnerabilities in the Credits platform. You can participate in the Bug Bounty program using the services of the Credits platform, on the projects Bugcrowd and Hakerone

Rules

  • The Credits software development team and any project participant working with the Credits codebase are not eligible to receive a reward;
  • Public disclosure of a vulnerability makes it ineligible for a bounty;
  • No fee is payable if the prize fund is exhausted;
  • First come, first served;
  • You must send a report as a mandatory condition to receive reward;
  • Each participant of the Credits Bounty program can send any number of reports.
  • No fee is payable if the report does not contain information about the playback of the detected vulnerability.

Reward

As a classification of vulnerabilities is used OWASP.

  • A1 Injection;
  • A2 Broken Authentication;
  • A3 Sensitive Data Exposure;
  • A4 XML External Entities (XXE);
  • A5 Broken Access Control;
  • A6 Security Misconfiguration;
  • A7 Cross-Site Scripting (XSS);
  • A8 Insecure Deserialization;
  • A9 Using Components with Known Vulnerabilities;
  • A10 Insufficient Logging&Monitoring.

The risk assessment scheme is presented in accordance with OWASP Risk Rating Methodology.

The final decision on offered the award and its size is determined by the Credits software development team.

The Credits software development team appreciates your work and your contribution to improving the Credits platform! And besides the rewards, your achievements will be reflected in the leaderboard during the validity period of the Credits Bug Bounty Program.

The evaluation and the amount of remuneration are affected (but not limited to):

  • Quality of description: the amount of reward increases if you provide clear, structured, well-written materials;
  • Quality playback: please include test information, scripts and detailed instructions in the description. The easier it is for us to reproduce and verify the vulnerability discovered by you, the faster you will receive a return response from us and, accordingly, the reward;
  • The quality of the correction, if it is included: clear materials that describe how to fix the problem are highly paid.

Important Legal information

Determining the rights for participate in the project, evaluation and conditions related to the award of rewards is the prerogative of the platform Credits software development team. Legal issues related to the tax on income of individuals in the amounts and in the order, are implemented in accordance with the legislation of the project participant. In addition, the award to officially recognise and encourage within the framework of the Credits Bug Bounty Program is not carried out for persons from countries in which sanctions are applied.

Scope

The main ideas of CREDITS platform are reflected in White paper. Under the scope are protocols, algorithms and models of the platform (Credits specific consensus, p2p protocol, Ed25519, etc). We suggest that you research issues affecting the theft of funds from any of the participants or the inaccessibility of these funds for any reason. The problems that violate the inner logic of a smart contract.

The priority within the Credits Bug Bounty Program, are detection faults / vulnerabilities in the following areas:

  • Protocols security;
  • Cryptographic technique;
  • Security of the main components: node, web-site, wallet and smart contract;
  • Other area of research.

Protocol security

  • Conceptual security issues in the formal specification of the Credits;
  • Security weakness and possible attack scenarios for the algorithm Credits specific consensus.

Cryptographic primitives’ security

  • Eleptic curve (ECDSA25519, ECMQV);
  • Hash algorithms;
  • Tiger Tree Hashing.

Network security

The audit focuses on generalized attacks across the whole network or a subset of its:

  • Sybil attack;
  • Replay-attack;
  • Slowing time down;
  • Transactions vulnerability (Interception and change of information / transaction when passing through the network);
  • Segmentation and loss of transactions;
  • Router Attack and Network Sharing;
  • global DoS.

Node security

  • Virus attacks on user wallets;
  • Black hole attack;
  • Slowing time down;
  • Attacking the environment (legal) node with compromised nodes;
  • Participation in the decision-making round on the inclusion of the transaction by the algorithm of Byzantine generals of the compromised node;
  • Repeat replay attack.

Client protocol implementation security

Determine whether the client implementation of the official specification of Credits:

Wallet:

  • Vulnerabilities of the wallet (hacking a private key, hacking a browser version of the wallet, using hash data for authentication, access by password selection, random data used to access when hashing a function, etc.);
  • Execution of transactions;
  • Calling messages.

Smart contract:

  • Execution of arbitrary code;
  • Creation of a contract;
  • Execution of transactions;
  • Calling messages.
  • Calculation and enforcement fees.

Web-site:

  • Calling messages;
  • CSRF;
  • SQL injection.

Client application security

  • Incorrectly processed errors;
  • Buffer overflow/Integer overflow;
  • Man in the Middle attack;
  • Issues related to external libraries used.

Java language security

Incorrect behavior of the Java code generator or optimizer which could cause unintended functionality (bugs) in the generated contract code.