Bug Bounty Program

Welcome to the Prom Bug Bounty Program! We're committed to ensuring the security and reliability of our blockchain solution. This program aims to incentivize security researchers and ethical hackers to identify and report potential vulnerabilities in our system.

Rewards

Rewards are distributed based on the severity of the vulnerability, following a simplified 5-level scale:

  • Critical: Up to $50,000

  • High: Up to $10,000

  • Medium: Up to $2,000

  • Low: Up to $500

  • Informational: Up to $100

The exact reward amount will be determined based on the potential impact and exploitability of the reported issue.

Scope

The bug bounty program covers the following components of Prom:

  1. Smart Contracts

  2. Bridge Mechanisms

  3. Consensus Layer

  4. State Management

  5. Transaction Processing

  6. Proof Generation and Verification

Focus Areas

We're particularly interested in vulnerabilities that could lead to:

  • Loss or theft of user funds

  • Permanent freezing of funds

  • Manipulation of transaction data or state

  • Compromise of the network integrity

  • Disruption of the bridge between Prom and Ethereum

  • Exploitation of the zero-knowledge proof system

  • Consensus failures or network splits

Submission Guidelines

Please submit a bug report in an email to tech@prometeus.io In your report please make sure to have the following:

  1. All submissions must include a clear description of the vulnerability and a proof-of-concept (PoC).

  2. For smart contract vulnerabilities, a working exploit code is required.

  3. Provide detailed steps to reproduce the vulnerability.

  4. Wallet address that will be used to receive funds in case you are eligible for the reward

Out of Scope

  • Issues already known to the Prom team or previously reported

  • Vulnerabilities in third-party applications built on Prom

  • Theoretical vulnerabilities without practical exploitation paths

  • DOS attacks requiring large amounts of resources

Legal and Ethical Guidelines

Breaking the following rules might result into receiving less reward or complete loss of it for finding a bug:

  • Do not attempt to exploit any vulnerability beyond what's necessary to demonstrate the issue.

  • Avoid accessing, modifying, or destroying data that doesn't belong to you.

  • Do not disclose any vulnerabilities publicly before they have been addressed by the Prom team.

  • Misrepresenting severity: claiming that a bug report is critical when it clearly is not

  • Misrepresenting assets in scope: claiming that a bug report impacts/targets an asset in scope when it does not

  • Whitehacking with intent to save user or protocol funds without the express written consent of the project

  • Attempting phishing or other social engineering attacks against protocols developers

  • Requesting gas fees from the project

  • Attacks based on personal characteristics

  • Threats of violence

  • Threatening to publish or publishing people’s personal information without their consent

  • Extortion/blackmail or threats of extortion/blackmail

  • Reporting a bug that has already been publicly disclosed

  • Publicly disclosing a bug report--or even the existence of a bug report for a specific project--before it has been fixed and paid

  • Placeholder bug submissions, i.e., bugs that have a vague title, very few details, and no reproducible steps

  • Submitting spam/very low-quality bug reports and submitting information that is not a bug report

  • Submitting a bug report in a language other than English

Program Duration

This bug bounty program will run continuously, with periodic reviews and updates to the scope and reward structure. By launching this comprehensive bug bounty program, Prom aims to leverage the expertise of the global security research community to enhance the robustness and security of its solution, following the best practices established by other successful platforms in the ecosystem.

PreviousSecurity PartnersNextGeneral FAQs

Last updated