Scope & Policy

Author: BNB ChainPublish Time: Oct 08, 2024

About

BNB Chain is the best Ecosystem of Blockchains for Web3 dApps with massive user bases, dedicated to delivering its core infrastructure necessary for future public adoption, and always remains as a community-first and open-source ecosystem built on a permissionless and decentralized environment. Developers can build easily with tutorials, grants, and ecosystem support. For more information, visit https://www.bnbchain.org/en

 

 

Policy

BNB Chain is committed to the safety and security of the Blockchain Ecosystem. To help us achieve this goal, we have implemented the BNB Chain Bug Bounty Program encouraging security researchers and enthusiasts to identify vulnerabilities that directly affects BNB Chain and report them to us. In return for their valuable contributions, we offer rewards based on the severity and impact of the reported issues ("BNB Chain Bug Bounty Program").

 

 

 

Below are the guidelines and conditions for BNB Chain Bug Bounty Program:

 

 

1. Scope of the Program

 

For security issues related to BNB Chain and their components ONLY:

If you have found a security issue that directly affects BNB Chain and/or its components (e.g. blockchain, node, wallet), please ensure that you report it directly to the program.

 

Non-security related issues:

To report an issue without security impact, please join the BNB Chain community at AvengerDAO Discord channel and share your issues. We appreciate all efforts in helping to keep the BNB Chain safe.

 

We will evaluate reported security issues based on the security impact on our users and the BNB Chain ecosystem. Please take a moment to read the rules of the BNB Chain Bug Bounty Program, as well as the eligibility of vulnerabilities and rewards as set forth herein. 

 

1.1. Bounty-Scope

 

BNB Chain  

 

Type

Link

Website

*.bnbchain.org 

 

 

BNB Beacon Chain and BNB Smart Chain

 

 

 

BNB Greenfield

 

 

 

opBNB

 

Type

Link

Client Implementation

https://github.com/bnb-chain/opbnb 

Client Implementation

https://github.com/bnb-chain/op-geth 

 

1.2. Out of Scope

Only the targets listed above shall be deemed as part of the BNB Chain Bug Bounty Program ("Bounty-Scope"). The following items are not part of the Bounty-Scope. 

  • our infrastructure; such as webpages, dns, email etc, 

  • Social engineering tactics (such as phishing or vishing)

  • Physical security breaches

  • Issues in third-party systems, services, or applications outside our domain.

  • Denial of service attacks

  • Vulnerabilities solely affecting outdated or unpatched devices/browsers

 

 

 

2. Reporting Guidelines

 

2.1.

Security researchers should submit their reports to the Bounty Page available at https://bugbounty.bnbchain.org. The report should include a detailed description of the vulnerability, steps to reproduce the issue, potential environment, proof of concept, and any relevant screenshots, log files, or other evidence. We encourage researchers to submit their findings as soon as possible to minimize the risk of duplicate reports. 

 

2.2.

The Participants agree with the following:

a) Submitted reports include a clear, concise, and reproducible description of the identified vulnerability, along with detailed steps to reproduce the issue and supporting evidence such as screenshots or logs.

b) If the vulnerability has already been reported by another participant, the submitted report will be marked as a duplicate and will not be eligible for a reward.

c) BNB Chain Foundation reserves the right to determine the validity and severity of a reported vulnerability at its sole discretion. BNB Chain Foundation also reserves the right to reject any report that does not meet BNB Chain Foundation's guidelines or criteria.

d) Participants shall not disclose any information about the identified vulnerability to any third party without BNB Chain Foundation's prior written consent.

e) Participants must give BNB Chain Foundation a reasonable amount of time to address and rectify the identified vulnerability before any public disclosure.

f) Participants must not engage in any malicious activities that could result in damage to BNB Chain Foundation's systems, loss of data, or any other negative impact.

g) Reports should be written in English.

 

2.3.

To ensure eligibility in the BNB Chain Bug Bounty Program, participants must adhere to the following template: 

1. Chain: Specify the targeted chain (e.g., BNB Beacon Chain, BSC, opBNB, or Greenfield).

2. Attack Scenario: Provide a detailed description of the attack or bug scenario, along with the unexpected or problematic behavior observed.

3. Impact: Explain the potential effects of this issue in a live production setting.

4. Components: Identify the affected files, functions, and/or specific line numbers where the bug appears.

5. Reproduction Steps: If you used any tools or simulations to discover the bug, thoroughly describe the method to recreate the problematic behavior.

6. Suggested Fix: If applicable, include a description of a possible solution for the issue.

7. Additional Details: Provide any other relevant information not covered in the sections above.

 

 

 

3. Reward

 

BNB Chain Foundation will distribute the rewards after the evaluation and verification process is complete. The distribution method and timeframe will be communicated to the participants. Participants must provide accurate and valid wallet addresses or other information required for reward distribution.

 

3.1. Cash Rewards

The reward amount will be determined based on the severity of the vulnerability as set forth in Schedule A. Please find below the reward tiers applicable to BNB Chain Bug Bounty Program:

 

SEVERITY

REWARD

P*

$100,000

P1

$5,000 – $30,000

P2

$1,500 – $5,000

P3

$600 – $1,500

P4

$200 - $600

 

 

3.2. Hall of Fame Recognition

Participants who have demonstrated exceptional skills and contributed significantly to the improvement of BNB Chain`s security will be acknowledged through the following means:

 

a. Public Recognition: The names (or aliases, if preferred) of top contributors will be displayed on our Bug Bounty Hall of Fame webpage, honoring and thanking them for their valuable contributions.

 

b. Digital Certificate: BNB Chain Foundation will issue a digital certificate of recognition, highlighting the participants' achievements in the BNB Chain Bug Bounty Program.

 

c. Exclusive Access: Hall of Fame members may be granted exclusive, limited-time access to upcoming features, enabling them to showcase their expertise in assessing vulnerabilities before public release.

 

To maintain high standards and credibility, BNB Chain Foundation reserves the right to determine the eligibility of participants for the Hall of Fame. Factors that may be taken into consideration include the vulnerability's criticality, the participant's contribution history, and adherence to responsible disclosure guidelines.

 

BNB Chain Foundation retains the right to remove any participant from the Hall of Fame for reasons including, but not limited to, unethical behavior, violation of BNB Chain Bug Bounty Program rules, or any other actions that may compromise the integrity of the recognition.

 

 

 

4. Eligibility

 

a. Age Requirements: To participate in the BNB Chain Bug Bounty Program, you must be at least 18 years old.

 

b. Employee Participation: BNB Chain Foundation employees, affiliates, their immediate family members, and contractors are welcome to join the program. However, monetary rewards will not be granted to these participants.

 

c. Country Restrictions: To be eligible for the program, you must not live in or hold citizenship from a country subject to embargoes, sanctions, or conflicts with the BNB Chain Foundation's jurisdiction.

 

d. Tax Obligations: As a participant, you are responsible for any tax implications based on your country of residence and citizenship.

 

e. Local Law Compliance: Additional restrictions on your ability to participate may be imposed by your local law. It is your responsibility to ensure compliance.

 

f. Program Nature: This is not a competition; rather, it is an experimental, discretionary rewards program. The BNB Chain Foundation reserves the right to cancel the program or decide whether to award a reward at any time and entirely at its discretion.

 

 

 

5. Vulnerability Classifications

 

5.1. Vulnerability Classifications on BNB Beacon Chain and BNB Smart Chain

 

P*:

  • Validator selection set manipulation

  • Merkle proof validation vulnerabilities

  • Remote leaks of unencrypted private keys / mnemonic / key seed

P1:

  • Vulnerabilities that could undermine the safety of any user or validator's fund/fee

  • Vulnerabilities that could severely undermine trading or token economy

  • Remote Code Execution on any BNB Beacon Chain/BNB Smart Chain node, such as Validator nodes, Witness nodes, or Seed nodes

  • Vulnerabilities related to key generation, encryption, decryption, signing and verification

  • Vulnerabilities that could disrupt the BNB Beacon Chain governance

  • Transaction origin spoofing or transaction malleability

  • Any issues causing irreparable consensus splits from the rest of the network

P2:

  • Denial of service of any BNB Beacon Chain validator node

  • Vulnerabilities that could undermine or disrupt trading or token economy

  • Vulnerabilities that could disrupt the Validator consensus result and performance

  • Vulnerabilities that could cause the Accelerated Node to be unable to respond with user queries on orders, transactions, balances, market depth

  • Access of disabled channels for cross-chain communication

  • Denial of service of cross-chain communication

P3:

  • Denial of service of the BNB Beacon Chain & BNB Smart Chain Explorer

  • Denial of service of seed and/or data seed nodes.

  • Denial of service for BSC Relayers / Oracle Relayers

P4:

  • Vulnerabilities that could affect the stability or availability of BNB Beacon Chain/ BNB Smart Chain / Explorer

  • Denial of service of non-critical functions

 

 

 

6. General Provisions

 

6.1.

Participants acknowledge that their participation in the BNB Chain Bug Bounty Program is voluntary and at their own risk. BNB Chain is not responsible for any loss, damage, or liability arising from participation in the program. BNB Chain Bug Bounty Program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the BNB Chain Foundation bug bounty panel.

 

6.2.

BNB Chain Foundation reserves the right to amend, modify, or update the BNB Chain Bug Bounty Policy at any time, without prior notice. Participants are advised to periodically review the policy for any changes. Continued participation in the BNB Chain Bug Bounty Program after any such changes shall constitute acceptance of the updated policy. BNB Chain Foundation reserves the right to terminate the BNB Chain Bug Bounty Program at any time without prior notice and shall not be liable for any unfulfilled rewards or incomplete tasks. 

 

6.3.

By participating in the BNB Chain Bug Bounty Program, researchers agree to comply with all applicable laws and regulations while conducting their research. Unauthorized disclosure of vulnerabilities outside the scope of the program or before an official fix is released by BNB Chain Foundation may result in disqualification from the program and potential legal action.

 

6.4.

By participating in the BNB Chain Bug Bounty Program, the participants agree to be bound by these clauses and any additional terms and conditions set forth by BNB Chain Foundation.

 

6.5.

This BNB Chain Bug Bounty Program and any disputes arising out of or relating to it shall be governed by, and construed in accordance with, the laws of Singapore, without giving effect to its conflict of law principles.

 

6.6.

All disputes arising out of, or in connection with, this BNB Chain Bug Bounty shall be resolved in the following manner:

 

a) Amicable Resolution: The parties shall attempt, in good faith, to negotiate and resolve any disputes or disagreements that may arise by engaging in discussions and consultations for a minimum period of thirty (30) days from the date a written notice is received by either party.

 

b) All disputes, controversies or claims between the Parties arising out of or in connection with this Agreement (including its existence, validity or termination) shall be finally resolved by arbitration to be held in Singapore, and conducted in English under the Rules of Arbitration of the Singapore International Arbitration Centre; provided, however, that each Party may enforce its or its Affiliates’ intellectual property rights in any court of competent jurisdiction, including but not limited to equitable relief. The arbitral award shall be final and binding on the Parties. Except to the extent of entry of judgment and any subsequent enforcement may require disclosure, all matters relating to the arbitration, including the award, shall be held in confidence.

 

6.7.

The failure of BNB Chain Foundation to exercise or enforce any right or provision of this policy at any given time shall not constitute a waiver of such right or provision, nor does it prevent BNB Chain Foundation from exercising its rights in the future.

 

6.8.

If any provision of this BNB Chain Bug Bounty Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect.

 

6.9.

This BNB Chain Bug Bounty Policy, along with any additional terms and conditions referenced herein, constitutes the entire agreement between the parties concerning the subject matter hereof and supersedes all prior understandings, agreements, and communications, whether oral or written, relating to the subject matter.

 

6.10.

BNB Chain Foundation may assign its rights and obligations under this BNB Chain Bug Bounty Policy, in whole or in part, to any affiliate or successor entity without notice to, or consent from, the participants.

 

6.11.

Nothing in this BNB Chain Bug Bounty Policy is intended to confer any rights or remedies on any persons other than the parties and their respective successors and permitted assigns.

 

6.12.

By participating in this BNB Chain Bug Bounty Program, the participants agree to adhere to and be bound by this Policy and any additional terms and conditions set forth by BNB Chain Foundation.