Help Us Make Polkadot <> Kusama Bridge More Secure!

In blockchain technologies, bridges have emerged as vital components connecting different blockchain ecosystems. As a concept, bridges enable transferring data, assets, and more between multiple chains. Yet, due to their pivotal role and high transaction volumes, they have simultaneously become a hotspot for malicious activities. When exploited, these breaches can lead to significant financial losses. The detailed risk assessment is elaborated in the Polkadot/Kusama Bridge Threat Model. For more in-depth information, please see the Appendix section.

What’s In Scope?

Parity Bridges Common the collection of components for building bridges like Substrate pallets for syncing headers, passing arbitrary messages, as well as libraries for building relayers to provide cross-chain communication capabilities.

• Bridges Common:

  • https://github.com/paritytech/parity-bridges-common↗
  • https://github.com/paritytech/polkadot-sdk/tree/master/bridges↗

• XCM and BridgesHub:

  • https://github.com/paritytech/polkadot-sdk/tree/master/cumulus/parachains/runtimes/bridge-hubs↗
  • https://github.com/polkadot-fellows/runtimes/tree/main/system-parachains/bridge-hubs↗

What Is A Good Submission?

If there is no impact, then we aren’t really interested. Purely-theoretical findings are sometimes entertaining to investigate, so feel free to send us any. However, if there’s no way it can be used to break our systems in practice, it won’t be eligible. Read carefully and avoid submissions being discarded:

• Provide a working proof-of-concept (or equivalent evidence) — assuming that your research didn’t produce unrecoverable changes. This helps us to evaluate whether your submission is within the program’s scope and usable in possible attacks.
• Include your vision of the potential impact and potential attack scenario, including required attack conditions.
• The bug must be original and previously unreported (no traces of reporting in public issues or internal audits), however, include links to issues or PR where conversations lead you to the discovery or introduction of the vulnerability.

How You Get Paid

1. Bounty eligible bug hunters will be asked to do a KYC to prove their identity.
2. Bug hunters have to sign a reward letter.
   • Details about payment timeframe and more will be detailed in the letter.
3. We will request a DOT/KSM address to send you the reward.

Submit Your Findings!

Send your finding ONLY to the following email address bridgesbugbounty@polkadot.network, make sure to double check the “What Is A Good Submission?” section to avoid getting your submissions rejected. You can always review the on-chain referenda document↗ to know more details about the program and dynamics of it.

Rules of the Road

Let’s get us in the same page:

1. Submissions outside the official start date will not be considered for this campaign. If you suspect that the flaw you found may be fatal for the items in the scope, please do NOT take further actions. Instead, describe your assumptions as detailed as possible in the report.
2. If you’re able to compromise something significant, please stop at the point of recognition, collect the small evidence (enough to understand where you are and what you can do), and report the vulnerability.
3. Duplicate submissions made within 72 hours of each other will split the bounty between reporters. If duplicate submissions are of unequal quality, the split will be at the level of the lesser report, and the greater report will receive a prorated additional bounty on top of the split. Despite striving to be transparent as much as possible, we do not disclose other participant’s names in such cases.
4. If you inadvertently access, modify, delete, or store user data, we ask that you notify us immediately at bridgesbugbounty@polkadot.network and delete any stored data after notifying us.

Our Security team will investigate and level up the bounty if it has a greater impact than you were able to determine without breaking our stuff. Please do not break our (or anyone’s) stuff as during the bounty program period more people will be using the same resources.

Reward Eligibility

As a main rule, a reward will ONLY be made once the patch for the vulnerability has landed and been released and you are NOT allowed to share any part of the security issue with any third party, without our written consent first. In addition, consider the following:

• You must not have written the buggy code or otherwise been involved in contributing the buggy code to the Polkadot/Kusama project.
• You must be old enough to be eligible to participate in and receive payment from this program in your jurisdiction, or otherwise qualify to receive payment, whether through consent from your parent or guardian or some other way.
• We might be prevented by law from paying you. For example, if you happen to live in a country on a sanctions list that applies to us. In this case, if we can, we’re happy to make a donation to a well-established charity.
• You must NOT either directly or indirectly exploit the security vulnerability for your own gain/incite, or encourage/assist anyone else in doing so.
• Each bug will only be considered for a reward once.

Do not threaten or attempt to extort members of the Polkadot/Kusama ecosystem. We reserve the right to disqualify individuals if they threaten to withhold the security issue from us or threaten to release the vulnerability, or any exposed data, to the public or any third party — or otherwise act in a malicious, disrespectful, or disruptive manner. Finally, the reward mechanism is articulated over following areas:

• A Hall of Fame of the Bug reporter will be published and regularly updated based on new reports and associated criticality (if they wish to preserve their anonymity, their avatar can be used instead)
• Based on the criticality a financial reward will be awarded
• For the top 5 people on the Bounty Hall of Fame, if they wish their candidacy to the Polkadot Blockchain Academy will be considered in priority and the Top1 will have a slot reserved.

Legal And Privacy

The Bug Bounty Program is a discretionary rewards program for our active community to encourage and reward those who are helping to improve the systems we build. It is not a competition. We can cancel the program at any time and awards are at our sole discretion.

All Bug Bounty awards are subject to compliance with local laws, rules, and regulations. We will not issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists. Please be advised that we might conduct background checks via our screening tool in order to verify this. You are responsible for all taxes payable in connection with the receipt of any rewards. All rewards are subject to the laws of England and Wales. Finally, your testing must not violate any law or compromise any IP rights, data — or funds — that are not yours.

Privacy and Data Protection

As part of participating in the Bug Bounty Program, you will need to share personal data including your name, email address, ID information and photos, and a blockchain address. The Polkadot and Kusama community are committed to protecting and respecting your privacy. To understand how your personal data is used, please see our Privacy Policy.

Governing Law and Jurisdiction

Any obligations arising out of or in connection with the Polkadot/Kusama Bridges Bug Bounty Program or its subject matter, will be governed by and construed in accordance with the law of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Polkadot/Kusama Bridges Bug Bounty Program.

Legal Safe Harbour

This program strongly supports and encourages security research into Polkadot/Kusama Bridge. If you conduct genuine, in-scope, bug-hunting research in good faith and in accordance with this policy, we will consider your actions to be legitimate and not seek prosecution. But for the avoidance of doubt, this does not give you permission to act in any manner that is inconsistent with the law or might cause us to be in breach of any of our legal obligations.