"Bounty hunting is a complicated profession." - The Client
Lantah's Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Lantah Network, it's protocol, or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues.
We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page. Lantah's development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete.
In order to qualify for a bounty, a bug must be:
Infrastructure – Generally speaking, any bug that poses a significant vulnerability to the security or integrity of the Lantah Network could be eligible for reward.
Relevant – Only security issues qualify for this bounty. A qualifying bug has to be a danger to user funds, privacy or the operation of the Ripple network.
Original – Nobody has reported the issue before.
Unknown – Bugs that are already known and discussed in public do not qualify. Previously reported bugs (including those with active tickets) are not eligible.
Specific – We welcome general security advice or recommendations, but we cannot pay bounties for that.
Fixable – There has to be something we can do to permanently fix the problem. Note that bugs in other people’s software may still qualify in some cases. For example, if you find a bug in a browser that compromises the security of Lantah and we can get it fixed by talking to the browser vendor, you may qualify for a bounty.
Unused – If you use the exploit to attack us first, you do not qualify for a bounty. If you report a vulnerability used in an ongoing or past attack and we have specific, concrete evidence that suggests you are the attacker we reserve the right not to pay a bounty.
Isolated – The bug must remain isolated from the Lantah Network, and must not be tested on the main-net or any publicly accessible test-net. Please use your local instance and a separate network. Remember that blockchains are public and someone may see your findings and report a bug before you
In general, the following would qualify for a bounty reward:
- Recently disclosed 0-day vulnerabilities
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website
- Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc
- Vulnerabilities affecting outdated or unpatched browsers
- Vulnerabilities in third party applications that make use of Lantah’s API
- Bugs that have not been responsibly investigated and reported
- Bugs already known to us, or already reported by someone else (reward goes to first reporter)
- Issues that aren’t reproducible
- Issues that we can’t reasonably be expected to do anything about
Lantah will reward bounties with Grams. The amount of the award depends on the degree of severity of the vulnerability reported. The Lantah Bug Bounty Panel will evaluate award sizes according to severity calculated according to the OWASP risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:
Critical: up to 25,000 points
High: up to 15,000 points
Medium: up to 10,000 points
Low: up to 2,000 points
Note: up to 500 points
1 point currently corresponds to 1 USD (payable in Grams), something which may change without prior notice. A floor conversion price of 1ꞡ=1 Satoshi if a ꞡ/$USD market-price conversion is not available. Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.
Lantah will offer, at it's discretion, the following bonuses for bug reports:
Full Report - 10%
Step by step report (including an exploit script if applicable) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.
Solution - 10-25%
We encourage providing a solution to the bug report, and the bonus amount depends on severity and complexity. If a solution is not provided, but you cooperate with requests and communications from Lantah in it's efforts to implement a solution, Lantah may still choose to grant a partial bonus. A solution provided after the initial bug report will still qualify for this bonus, please don't hold any bugs back while working on a solution!
Report a Bug
1: Use one of the following encrypted channels to contact Lantah about a bug:
- Signal App
- OpenPGP then email firstname.lastname@example.org
2: Include as much information in your report as you can, including a description of the bug, it's potential impact, and steps for reproducing it or proof of concept.
Please don’t hold back partial vulnerabilities while trying to construct a full-blown exploit. We respect this process and will pay a large bounty to anyone who reports a complete chain of vulnerabilities even if they have reported each component of the exploit separately and those vulnerabilities have been fixed in the meantime. However, to qualify for a the full bounty, you must to have been the first to report each of the partial exploits.
Bounty hunting season will begin pending release of GramR.
You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.