Bitcoin Satoshi Vision (BSV) was created to restore the original Satoshi protocol, keep it stable, and enable it to massively scale. Unlike other Bitcoin projects, only Bitcoin SV has the plan for a stable protocol and plan for massive on-chain scaling to become the world’s new money and the global public blockchain for enterprise.
The bug bounty program is focused around the code base for BSV and spans end-to-end, ranging from the soundness of protocols (blockchain consensus model, the wire and p2p protocols, proof of work, etc.), protocol implementation, and compliance to network security and consensus integrity.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability with the following categorization:
Critical - Catastrophic impact on the network as a whole; network availability compromised; loss of funds High - Impacts individual nodes; individual node crashes; potential for a loss of funds Medium - Not easily exploitable; medium impact; no loss of funds Low - Not easily exploitable; low impact
The level of exploitability is determined by the Bitcoin Association for BSV.
A proof of concept is not required but is recommended to allow faster processing of the bug report. This proof of concept should be code.
Payouts are handled by the Bitcoin Association for BSV directly and are denominated in USD. However, payouts are done in BSV.
- USD $100,000
- USD $50,000
- USD $10,000
- USD $1,000
Assets in scope
- Blockchain/DLT - Node Repository (see added restrictions)Type
Not all of https://github.com/bitcoin-sv/bitcoin-sv is considered in-scope of the bug bounty program. Please note the following details with regards to what is in-scope and what is out-of-scope:
Branches in scope:
master branch most recently updated branch with prefix: rc-* branches prefixed with: review-*
Branches out of scope:
branches prefixed with: dev-, exp- or research-* branches suffixed with: *-beta all other branches not specified as in scope
If you believe that your bug report that covers a branch in scope is critical and wish to use a secure method of communication, please see our PGP key at the bottom.
The scope is further limited to those Operating Systems & hardware platforms for which binaries are released by the Bitcoin SV Node implementation team. Any external code in the GitHub link is out-of-scope.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Catastrophic impact on the network as a wholeCriticalImpact
- Network availability compromisedCriticalImpact
- Loss of fundsCriticalImpact
- Impacts individual nodesHighImpact
- Individual node crashesHighImpact
- Potential for a loss of fundsHighImpact
- Impact not easily exploitable - other medium impactMediumImpact
- Impact with no loss of fundsMediumImpact
- Impact not easily exploitable - other low impactLowImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks that rely on social engineering
- Attacks requiring access to leaked keys/credentials
- Basic economic governance attacks (e.g. 51% attack)
- Best practice critiques
- Sybil attacks
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- UI bugs and spelling mistakes on this or any associated website
- Network level Denial of Service (DoS/DDoS) vulnerabilities
- Resource exhaustion attacks not satisfying all 3 conditions above
The following activities are prohibited by this bug bounty program:
- Violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
- Public disclosure of an unpatched vulnerability in an embargoed bounty*
- Interacting with anything other than test accounts you own or with explicit permission from the account holder.
- Any testing with mainnet or public testnet; all testing should be done on private testnets
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode
If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), or proprietary information.
*An embargo period is a fixed period of time from when a bug is reported to when a bug reporter can publicly disclose it. Bug reporters must not publicly discuss or disclose the presence or details of a bug during the embargo period. Once the embargo period is over bug reporters will be free to publicly discuss and disclose the details of the bug they’ve found and any proof-of-concept exploits that they may have written to validate the bug, with the exception of reports related to resource exhaustion attacks.
Please note, we do not want to receive any sensitive data during any disclosure, such as personally identifiable information (PII) or any data associated with private/public keys.
Bitcoin SV Security Team PGP Key
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: SKS 1.1.6
mQINBFukzJcBEAC6P81ADa4ftaBqS4ABbFCcxCaRju/+z1nF7AbTBmvVZme8vKFj8NgKnKgG 3YxcoiuByAaR9yBMQ3ALTrNbYowjHgbm37Z2MQTfMXPXtSkvMJU2aqp3F+R3QPE6DYfPiTV3 bRvvTCWI2XzKCaJzVjEGqN/hq2BN12zrh6Y9cdCTQ0gwLe07gGdcQn4EyEu4NhRa1umJm/bv XUCP0dHzFX/43DACgnAZgDSbeyPaRio1XG4BRLgIB2RQ4aL+bqEhCwllY8DRiqMjbPn9iHH3 3EfmimwGzYWyP6gjKEO9wkoFmURosCub/XLbRwgSxy6Cw2UGD9vIY9EGis5ehwaoJf8YZPwY 5umue0zlBK3kN+HXuVPAB2+ug6ZZXIuaxhMG6JmWTozuJAQ8sWGdyQlC3u8kMZ9vPCI6cyTo UFD7ss8dC50ZGs6XglMoaZDjTOpuG4mhXPfoUhLuZPGhtHVYRYik4P/hslBDIDbNMIywkkf3 JOtxmDAFQivVfV8055/TOIYdGweOKhyqlp2kRN++6skexOSKyZ9+CM+3d+BW4wSmUfrleOUw n4Ys4qFkBxUfbIa7Y5zhyeAo/qngmMjqomgFI5yQ+jzYHBSeEUqnp1ACY6I6HiqpQYQmpCHn nQk2MypW456db15Xd0xkd33+1nkioBPMFGBQaj73RwhXH3d0vQARAQABtDBCaXRjb2luIFNW IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGJpdGNvaW5zdi5pbz6JAlQEEwEIAD4WIQTo65cK HGB98IIuE4j5aXb9eiCrYgUCW6TMlwIbAwUJAme9KQULCQgHAgYVCgkICwIEFgIDAQIeAQIX gAAKCRD5aXb9eiCrYqxaD/wN/r0Fwv8Xhkc+gMmXN/SjKl4a8Cp32e9737bzLlMHaXyNVw2V Ij8/MM45MnIU/BaKi3Em2Ber6p5XaUYy81CmjEgnRfsQ9AqbVHqA6sgjI1iF/LWm86O6ZLF2 6oJENk0s56JDptYuHGxJRGL0Q6z2iY8wOIDx7kwvMitUJqm5tsYX+Ekeci6lfwilbpyUWdqQ iUh8Gv4P6ckAt3qUwqepFkgPbMpoz0n1WzRzbg+d/lDcDI6BgDjUa4qb93m4epGKprc/ESkw /zB1LCZw2RBBsTJmnkpe5Q+aldUFUuWHcZ79lm+s30MBnqQ9d8q2wblYUH3crJBgYR1c7v2s vqHQlB2CnCSq9nwmsadPMYKkBUN8GWSLqw4t8c/0bXcw0Kkl2iwOAIN4KRfO6sM57BfL0pTq sk+onfnimYNUdFAm0Awxspupq8hZWy2L1K4meW4nB1cvJjBHUi9QGEzfk2gzkAn4VMYhD8UI B5yKcKK58dp7IVQgRc8djskxTwl1jhe8/Dez/II39yvKPK+hoo5hpq3KxQcJoGktxog4QM9z EOpJRCfnjJD2ijOCBUiejy3LIwqzH+cAMly0LS0W93UD2pLi1R494kkZ/VnMTZVc4cSz0A2w UkqWcbGQ/oLkq5Q1ilPS4FCSsJ60/UXSoWGV3ncZ+XnOX43M7D9z0v6SDbkCDQRbpMyXARAA y9LNLHRWEq4ThTtbNmuItKTMLTYFdDFkKHiexxCyF0jQuMv4bxfx3cCZJ+6ty7DTeSw9oG2K nYN/d6vyyJ1r0sPAyWODDb6ekqlwsCSiM2DEVy3tQITisWXMg4D0/ys+Q+1bi0MTYve4I6XL 8mKnomgzaeFSBAvYfGQ2Oz5GDZfj8/yNWmInjoSWRZxOpTYgOf6UedJ56ew2aejno+Y4h4Cf wnBdAWn3FIeFho+MllcSQbMbDBaDX3MGNeE6ZkXV7WD7xLcD39Xn2nS3IVQx9LcEkbRIWzFY f8Arbi33gtT35jOBpSW3a/xFOoxVt+t7YWHuAYXYL67bh+OpMAr/XowQuV5+ICfXW53CEg7i VsYEikms7lkEGz89tyCDdYCr8lV3/Ka2cTSirh22Y5rravtYMubZUoCMYHgmrEiA8vQz3wLQ pG3wnBs4E3PtFk4QIK6VjLdnFWAHY8ULM0XRY98hrZ5LZ8WNCv+0JIbKSS8afasM/HOXFFUw 69HsGbMJo0YmVe8y7sSyLRFwVraafy5NQpjl9Vp+zoiBtt5dD4DPjbqlZqfTpX1EHmMt07vI 1CYUJcJ7PHg8VabK3+4V1Q4HMWbbpAPYRZXXeej7gOcTJDEvCSOzKkreU/DUG+lEJedN+tOD 7PyKGbV/VSjzLGG1U77ZXJqbPdrInPUJzPcAEQEAAYkCPAQYAQgAJhYhBOjrlwocYH3wgi4T iPlpdv16IKtiBQJbpMyXAhsMBQkCZ70pAAoJEPlpdv16IKtiO+oP/35OA/hZmHZQEqWp5Lty bV3tzz//zhDfEK4wK52POmnVO/hynsygoH2Ws7GWTrKLkVvevmc0S4+pC8cpahVrI9mpzEJw 9zoFuJjKSmyyDwrxaV/NskU7QI68PKEvNQfqAinMy9pB9q32+B9So87vKdcINaYmInU3B7Ef YtzE9MZKG18lma4bXgdNFrVkRFJoJTYVd6T86dK7NQnIgA67q1Dp5A+zO/fi8qP6chmpfrcU ps8bMtL8YiCTzYAaXX+S8v9tVza9U6JxV2902/drkacnVsK1YWzJQgm9vHWjSl7T0x06qqKS 8oSEICufSxJ2PcrKNPsUL4OXgIRJaa/5JpdvK1Dckr9rukZgsctxu3vJW/XhbLYWVs79UrkM aVjF19Mm3/m3XINjSUL4rqw2CFEydvIN/a/o2OTh++Zcr4a17/u/teBllHAtfiaBayC8PrCf LHm8AmTq65RQ0S9V8rxVQhpEUumXh+jzbeXPjVs7Y/d0EaKAU6MbR4EWu4JWBm799sLSzXFO c7ipgGLAx1qCZYmxsFzzB7VsAAA85Qcow9tMHi7JrTLnlU5bb8FA18mmG7T8F9M69Iknwb73 rf8atunC+GiS2/6RRwtTbVfO2LVPxLlqQovSsjCoWgifHH4rg1OCs1T0v7ed0V4eU8p5fzla 7auhB+wyIkulnJbt =zYLL -----END PGP PUBLIC KEY BLOCK-----