Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug bounty lido feedback #328

Merged
merged 4 commits into from
Mar 1, 2024
Merged

Bug bounty lido feedback #328

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3a3e6a7
increase rewards and rewording
aly-obol Feb 28, 2024
297c308
update rewards impacts
aly-obol Feb 28, 2024
5c9f02a
Merge branch 'main' into bug-bounty-lido-feedback
aly-obol Feb 29, 2024
0d66b2c
remove USD redundant from $ sign
thomasheremans Mar 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
199 changes: 123 additions & 76 deletions docs/sec/bug-bounty.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,131 +3,178 @@ sidebar_position: 2
description: Bug Bounty Policy
---

# Obol Bug Bounty
# Obol Bug Bounty Program

## Overview

Obol Labs is committed to ensuring the security of our distributed validator software and services. As part of our commitment to security, we have established a bug bounty program to encourage security researchers to report vulnerabilities in our software and services to us so that we can quickly address them.
At Obol Labs, we prioritize the security of our distributed validator software and related services. Our Bug Bounty Program is designed to encourage and reward security researchers for identifying and reporting potential vulnerabilities. This initiative supports our commitment to the security and integrity of our products.

## Eligibility
## Participant Eligibility

To participate in the Bug Bounty Program you must:
Participants must meet the following criteria to be eligible for the Bug Bounty Program:

- Not be a resident of any country that does not allow participation in these types of programs
- Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program
- Have permission from your employer to participate
- Not be (for the previous 12 months) an Obol Labs employee, immediate family member of an Obol employee, Obol contractor, or Obol service provider.
- Not reside in countries where participation in such programs is prohibited.
- Be at least 14 years of age and possess the legal capacity to participate.
- Have received consent from your employer, if applicable.
- Not have been employed or contracted by Obol Labs, nor be an immediate family member of an employee, within the last 12 months.

## Scope
## Scope of the Program

The bug bounty program applies to software and services that are built by Obol. Only submissions under the following domains are eligible for rewards:
Eligible submissions must involve software and services developed by Obol, specifically under the domains of:

- Charon the DV Middleware Client
- The DV Launchpad
- Obol’s Public API
- Obol’s Smart Contracts and the contracts they depend on.
- Obol DV Launchpad and Public API
- Obol Splits Contracts
- Obol Labs hosted Public Relay Infrastructure

Additionally, all vulnerabilities that require or are related to the following are out of scope:
Submissions related to the following are considered out of scope:

- Social engineering
- Rate Limiting (Non-critical issues)
- Physical security
- Non-security-impacting UX issues
- Vulnerabilities or weaknesses in third party applications that integrate Obol
- The [Obol](https://obol.tech) static website or the Obol infrastructure in general is NOT part of this bug bounty program
- Physical security breaches
- Non-security related UX/UI issues
- Third-party application vulnerabilities
- The [Obol](https://obol.tech) static website or the Obol infrastructure
- The operational security of node operators running or using Obol software

## Rules
## Program Rules

- Bug has not been publicly disclosed
- Vulnerabilities that have been previously submitted by another contributor or already known by the Obol development team are not eligible for rewards
- The size of the bounty payout depends on the assessment of the severity of the exploit. Please refer to the rewards section below for additional details
- Bugs must be reproducible in order for us to verify the vulnerability. Submissions with a working proof of concept is necessary
- Rewards and the validity of bugs are determined by the Obol security team and any payouts are made at their sole discretion
- Terms and conditions of the Bug Bounty program can be changed at any time at the discretion of Obol
- Details of any valid bugs may be shared with complementary protocols utilised in the Obol ecosystem in order to promote ecosystem cohesion and safety.
- Submitted bugs must not have been previously disclosed publicly.
- Only first reports of vulnerabilities will be considered for rewards; previously reported or known vulnerabilities are ineligible.
- The severity of the vulnerability, as assessed by our team, will determine the reward amount. See the "Rewards" section for details.
- Submissions must include a reproducible proof of concept.
- The Obol security team reserves the right to determine the eligibility and reward for each submission.
- Program terms may be updated at Obol's discretion.
- Valid bugs may be disclosed to partner protocols within the Obol ecosystem to enhance overall security.

## Rewards
## Rewards Structure

The rewards for participating in our bug bounty program will be based on the severity and impact of the vulnerability discovered. We will evaluate each submission on a case-by-case basis, and the rewards will be at Obol’s sole discretion.
Rewards are issued based on the severity and impact of the disclosed vulnerability, determined at the discretion of Obol Labs.

### Low: up to $500
### Critical Vulnerabilities: Up to $100,000

A Low-level vulnerability is one that has a limited impact and can be easily fixed. Unlikely to have a meaningful impact on availability, integrity, and/or loss of funds.

- Low impact, medium likelihood
- Medium impact, low likelihood

Examples:

- Attacker can sometimes put a charon node in a state that causes it to drop one out of every one hundred attestations made by a validator
- Attacker can display bad data on a non-interactive part of the launchpad.

### Medium: up to $2,500

A Medium-level vulnerability is one that has a moderate impact and requires a more significant effort to fix. Possible to have an impact on validator availability, integrity, and/or loss of funds.
A Critical-level vulnerability is one that has a severe impact on the security of the in-production system from an unauthenicated external attacker, and requires immediate attention to fix. Highly likely to have a material impact on validator private key security, and/or loss of funds.

- High impact, low likelihood
- Medium impact, medium likelihood
- Low impact, high likelihood
- High impact, high likelihood

Examples:
Impacts:

- Attacker that is a member of a cluster can exfiltrate K1 key material from another member.
- Attacker that is a member of the cluster can denial of service attack enough peers in the cluster to prevent operation of the validator(s)
- Attacker that is a member of the cluster can bias the protocol in a manner to control the majority of block proposal opportunities.
- Attacker can get a DV Launchpad user to inadvertently interact with a smart contract that is not a part of normal operation of the launchpad.
- Attacker that is not a member of the cluster can successfully exfiltrate BLS (not K1) private key material from a threshold number of operators in the cluster.
- Attacker that is not a member of the cluster can achieve the production of arbitrary BLS signatures from a threshold number of operators in the cluster.
- Attacker can craft a malicious cluster invite capable of subverting even careful review of all data to steal funds during a deposit.
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Direct loss of funds
- Permanent freezing of funds (fix requires hard fork)
- Network not being able to confirm new transactions (Total network shutdown)
- Protocol insolvency

### High: up to $10,000
### High Vulnerabilities: Up to $10,000

A High-level vulnerability is one that has a significant impact on the security of the system from a position of low-trust, and requires a significant effort to fix. Likely to have impact on availability, integrity, and/or loss of funds.
For significant security risks that impact the system from a position of low-trust and requires a significant effort to fix.

- High impact, medium likelihood
- Medium impact, high likelihood

Examples:
Impacts:

- Attacker that is not a member of the cluster can successfully partition the cluster and keep the cluster offline indefinitely.
- Attacker that is not a member of the cluster can exfiltrate charon ENR private keys.
- Attacker that is not a member of the cluster can destroy funds but cannot steal them.
- Unintended chain split (Network partition)
- Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments
- RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer
- Theft of unclaimed yield
- Theft of unclaimed royalties
- Permanent freezing of unclaimed yield
- Permanent freezing of unclaimed royalties
- Temporary freezing of funds
- Retrieve sensitive data/files from a running server:
- blockchain keys
- database passwords
- (this does not include non-sensitive environment variables, open source code, or usernames)
- Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:
- Changing cluster information
- Withdrawals
- Making trades

### Medium Vulnerabilities: Up to $2,500

For vulnerabilities with a moderate impact, affecting system availability or integrity.

### Critical: up to $100,000
- High impact, low likelihood
- Medium impact, medium likelihood
- Low impact, high likelihood

A Critical-level vulnerability is one that has a severe impact on the security of the in-production system from an unauthenicated external attacker, and requires immediate attention to fix. Highly likely to have a material impact on validator private key security, and/or loss of funds.
Impacts:

- High impact, high likelihood
- Attacker that is a member of a cluster can exfiltrate K1 key material from another member.
- Attacker that is a member of the cluster can denial of service attack enough peers in the cluster to prevent operation of the validator(s)
- Attacker that is a member of the cluster can bias the protocol in a manner to control the majority of block proposal opportunities.
- Attacker can get a DV Launchpad user to inadvertently interact with a smart contract that is not a part of normal operation of the launchpad.
- Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours
- Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network
- Charon cluster identity private key theft
- Rogue node operator to penetrate and compromise other nodes to disturb the cluster’s lifecycle
- Charon public relay node is compromised and lead to cluster topologies getting discovered and disrupted
- Smart contract unable to operate due to lack of token funds
- Block stuffing
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
- Redirecting users to malicious websites (Open Redirect)

### Low Vulnerabilities: Up to $500

For vulnerabilities with minimal impact, unlikely to significantly affect system operations.

Examples:
- Low impact, medium likelihood
- Medium impact, low likelihood

- Attacker that is not a member of the cluster can successfully exfiltrate BLS (not K1) private key material from a threshold number of operators in the cluster.
- Attacker that is not a member of the cluster can achieve the production of arbitrary BLS signatures from a threshold number of operators in the cluster.
- Attacker can craft a malicious cluster invite capable of subverting even careful review of all data to steal funds during a deposit.
Impacts:

We may offer rewards in the form of cash, merchandise, or recognition. We will only award one reward per vulnerability discovered, and we reserve the right to deny a reward if we determine that the researcher has violated the terms and conditions of this policy.
- Attacker can sometimes put a charon node in a state that causes it to drop one out of every one hundred attestations made by a validator
- Attacker can display bad data on a non-interactive part of the launchpad.
- Contract fails to deliver promised returns, but doesn't lose value
- Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network
- Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as:
- Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)
- Taking over broken or expired outgoing links such as:
- Social media handles, etc.
- Temporarily disabling user to access target site, such as:
- Locking up the victim from login
- Cookie bombing, etc.

Rewards may be issued as cash, merchandise, or other forms of recognition, at Obol's discretion. Only one reward will be granted per unique vulnerability.

## The following activities are prohibited by this bug bounty program

- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty

## Submission process

Please email [email protected]

Your report should include the following information:
To report a vulnerability, please contact us at [email protected] with:

- Description of the vulnerability and its potential impact
- Steps to reproduce the vulnerability
- Proof of concept code, screenshots, or other supporting documentation
- Your name, email address, and any contact information you would like to provide.
Reports that do not include sufficient detail will not be eligible for rewards.
- A detailed description of the vulnerability and its potential impact.
- Steps to reproduce the issue.
- Any relevant proof of concept code, screenshots, or documentation.
- Your contact information.

## Disclosure Policy
Incomplete reports may not be eligible for rewards.

Obol Labs will disclose the details of the vulnerability and the researcher’s identity (with their consent) only after we have remediated the vulnerability and issued a fix. Researchers must keep the details of the vulnerability confidential until Obol Labs has acknowledged and remediated the issue.
## Disclosure and Confidentiality

## Legal Compliance
Obol Labs will disclose vulnerabilities and the identity of the researcher (with consent) after remediation. Researchers are required to maintain confidentiality until official disclosure by Obol Labs.

All participants in the bug bounty program must comply with all applicable laws, regulations, and policy terms and conditions. Obol will not be held liable for any unlawful or unauthorised activities performed by participants in the bug bounty program.
## Legal and Ethical Compliance

We will not take any legal action against security researchers who discover and report security vulnerabilities in accordance with this bug bounty policy. We do, however, reserve the right to take legal action against anyone who violates the terms and conditions of this policy.
Participants must adhere to all relevant laws and regulations. Obol Labs will not pursue legal action against researchers reporting vulnerabilities in good faith, but reserves the right to respond to violations of this policy.

## Non-Disclosure Agreement
## Non-Disclosure Agreement (NDA)

All participants in the bug bounty program will be required to sign a non-disclosure agreement (NDA) before they are given access to closed source software and services for testing purposes.
Participants may be required to sign an NDA for access to certain proprietary information during their research.
Loading