Robert Forster, CTO of ArmorFi, a smart insurance aggregator for DeFi which provides Pay as You Go and Only Pay What You Owe ᴰᵀᴹ coverage for user funds across various protocols, is interested in securing the wider Ethereum ecosystem by encouraging responsible disclosures to prevent catastrophic hacks on any project on Ethereum. In light of the success from ArmorFi’s bug bounty program where Alexander Schlindwein @bobface16 from IdeaMarkets disclosed a critical bug via Immunefi, Robert Forster is launching the Founders Bounty program with a reward of 125 000 ARMOR and to get a tattoo inspired by the whitehat's name.
The bug bounty program covers critical smart contract bugs across the Ethereum ecosystem according to the Immunefi Vulnerability Severity Classification System that could result in the immediate loss of the equivalent of at least USD 1 million.
If the affected project is covered by the Armor Alliance Bug Bounty Challenge, the structure of the reward and the eligibility for the Founders Bounty is affected. Further details in the Reward section below.
Bug Disclosure Process
- After you find a serious smart contract bug that causes over at least USD 1m of user funds to be at risk, submit your smart contract bug report here according to our bug report process
- Immunefi will assess the reproducibility of the smart contract bug to validate it as well as the threat level
- Immunefi will then contact the project on your behalf and facilitate the disclosure communications according to the requirements of the project. Immunefi will keep you updated throughout the process
The fine print: Robert Forster, CTO of ArmorFi, provides Founders Bounty as a service to the Ethereum community. Robert Forster and the ArmorFi team receive no compensation for any of its activities under the Founders Bounty program. Robert Forster, ArmorFi, and Immunefi cannot guarantee a response from the affected project for bugs submitted through the Founders Bounty program. Additionally, the USD amount mentioned in this bug bounty program is only an estimate based on the exchange rate at the time of the posting of this bug bounty program. The stated amount of ARMOR in this program will be the awarded amount.
Bugs in Scope
The scope of the Founders Bounty program is only around smart contract bugs of projects on Ethereum that could result in the loss of a total of at least USD 1 million worth of user funds, either by loss of access or by theft.
Robert Forster will reward successful disclosures with 125 000 ARMOR, with vesting up to 24 months.
If a project has an existing bug bounty program, or if the project decides to reward you as well, you’ll get the full payout reward they have for the critical bug in addition to the reward in ARMOR.
If the value of the total reward of 125 000 ARMOR and the existing bug bounty program, if any, is greater than USD 1 million, the reward is capped at 100% of the funds at risk.
Robert Forster will also be getting a tattoo inspired by the name of whitehats who successfully submit a report, per report.
In the event that the affected program is part of the Armor Alliance Bug Bounty Challenge, the Founders Bounty reward will not take effect if the total Alliance reward in ARMOR is equal to or greater than 125 000 ARMOR. In the event that the reward is less than 125 000 ARMOR, the Founders Bounty will only cover the remaining amount until the total amount of ARMOR rewarded is 125 000 ARMOR.
Accepted Vulnerability Types
Here’s a list of the vulnerability types that the program accepts to give you a better idea on what Founders Bounty is able to support. However, this is by no means an exhaustive list of all vulnerabilities that are accepted in the program. Note that only the vulnerability types under “Smart Contracts and Blockchain” are accepted.Accepted Vulnerabilities
Unaccepted Vulnerability Types and Rules
The following vulnerabilities are not accepted by our Disclosure Assistance program, as well as all web and app vulnerabilities.Unaccepted Vulnerabilities
We also generally do not work with bug reports that have violated any of our standard rules:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Disassembly or reverse engineering of binaries for which source code is not published, not including smart contract bytecode