R5 Network
WebsiteR5 LabsGitHub
  • Getting Started
    • Hello & Welcome!
  • About R5
    • Overview
    • R5 Components
    • Consensus Mechanism
    • zkNet (Privacy)
  • R5 Coin
  • R5 Tokenomics
  • Tutorials & Guides
    • Connect & Use R5
      • R5 Desktop Wallet
      • MetaMask
      • Rabby Wallet
      • Coinbase Wallet
    • zkNet Web Wallet
    • R5 Desktop Wallet
      • Interface Overview
      • Send a Transaction
      • Receive a Transaction
      • Backup Your Wallet
      • Retrieve Your Private Key
    • How To: Deploy a Node
    • How To: Mine R5
    • How To: GPU Mine R5
    • How To: Build R5 From Source
    • How To: Connect Local Nodes
  • For Developers
    • R5 SDK
      • R5 Relayer
      • R5 Console
      • JS Console
      • CLI Wallet
      • SCdev
      • SSL Proxy
    • Hardware Requirements
    • R5 Testnet
    • R5 Devnet
    • Local Networks
    • JSON-RPC API
      • admin
      • debug
      • ethash
      • miner
      • net
      • r5 (eth)
      • rpc
      • txpool
      • web3
    • Indexer API
    • zkNet API
    • Node Configuration
    • Ethash-R5
    • Smart Contracts
    • Wrapped R5 (Native)
    • Tokens & NFTs
  • Bug Bounty Program
  • Resources
    • Website
    • R5 Labs
    • R5 Labs GitHub
Powered by GitBook
On this page
  • What are we looking for?
  • Current Areas of Focus (10% Payment Bonus)
  • Soft Payment Schedule
  • Submit Your Bug

Bug Bounty Program

PreviousTokens & NFTs

Last updated 1 month ago

R5's bug bounty program is managed by R5 Labs. It aims to continuously incentivise security and feature improvements to the protocols and tools developed by the R5 Labs in conjunction with the broader R5 community.

There were R5 200,000 committed to the bug bounty program out of the pre-allocated funds. Once these funds are depleted, community funding via donations will be needed to keep the Bug Bounty Program active. If you would like to donate, please use the wallet address below:

0x66a88f34AE8800561084EBb351dafAAA248a15b8

What are we looking for?

R5 is a community-driven project, and bugs are a normal part of the product development cycle. Collaborators are always working to get them patched and fixed, and most of the work is done by volunteers. We therefore do not deem small UI or function fixes that were already in the development scheduled, to be worthy of bug bounty prizes.

That is not to say that bugs that can cause function breakdowns and compromise the stability of the nodes won't be looked at, but the main goal with our bug bounty program is to identify vulnerabilities that may expose sensitive data (such as private keys) in our protocols, or most critically, affect the blockchain state management.

Some of our websites use WordPress, and bugs related to the WordPress protocol won't be considered to be part of the scope of this bug bounty program.

If you have found minor vulnerabilities or bugs, you can also contribute directly to the open source codebase to patch it. Being a community-ran project, we depend on community support to operate, and your direct contribution will also yield you points and influence with such community.

Current Areas of Focus (10% Payment Bonus)

Vulnerabilities found in these specific codebases will yield a 10% bonus payment to the person that finds and submits them via the .

  • Blockchain client (r5-core/client )

  • CLI Wallet (r5-core/cliewallet)

  • GUI Wallet (r5-wallet )

Soft Payment Schedule

This schedule is to give bug bounty hunters an indication of how much they can expect as a payout. The R5 Labs team will ultimately evaluate and assess each submission individually, but using the schedule below as a baseline. Unless specified otherwise, bugs and vulnerabilities that are submitted with a fix/patch will yield an additional 20% payout.

Area/Sector
Threat Level
Description
Payout Indication*

Blockchain client-related code, excluding tooling and the SDK

Low

Small bugs that affect functionality of the protocol but does not put the integrity of the chain state at risk. These need to be submitted with a fix to be accepted.

From R5 10 - 50

Blockchain client-related code, excluding tooling and the SDK

Medium

Bugs that can cause a function or feature to breakdown, causing credentials to be exposed or other types of vulnerabilities, but does not pose a risk to the chain state integrity.

From R5 100 - 500

Blockchain client-related code, excluding tooling and the SDK

High

Vulnerabilities that may pose a severe threat to the functioning of the client protocol, but do not put the integrity of the chain state at risk

From R5 250 - 1,000

Blockchain client-related code, excluding tooling and the SDK

Critical

Vulnerabilities that threat the integrity of the chain state - with reorgs, double spending, for example.

From R5 1,000

R5 tooling and SDK codebase

Low Medium High

Bugs that may cause function breakdowns or vulnerabilities to developers while using the tools.

From R5 10 - 250 if a bug is submitted without a patch/solution From R5 20 - 350 if a bug is submitted with a patch/solution

R5 tooling and SDK codebase

Critical

Vulnerabilities that expose sensitive information or may have potential to directly impact chain state management with reorgs, double-spending, etc.

From R5 750 if submitted without a patch/solution From R5 1,250 if submitted with a patch/solution

Other code

Low Medium

Bugs and vulnerabilities that have potential to cause instability bug do not leak sensitive information or has the potential to affect the chain state management.

From R5 10 - 250 if submitted without a patch/solution From R5 20 - 350 if submitted with a patch/solution

Other code

High

Bugs and vulnerabilities that have the potential to leak sensitive data but doesn't present risk to the chain state management.

From R5 20 - 350 if submitted without a patch/solution From R5 50 - 500 if submitted with a patch/solution.

Other code

Critical

Bugs and vulnerabilities with potential to compromise the chain state management.

From R5 1,000

* The payout figures are just indications, and the R5 Labs team will make their own judgement on how critical the vulnerability is based on its threat-level to the users, developers, and most importantly, to the chain state management. However, in all assessments this schedule will be used as a guideline.

Submit Your Bug

Use the form below to make your submission. Please read the Terms & Conditions before proceeding.

Bug Bounty submission form
https://forms.gle/UryJ9uFWxgXDDzNh7forms.gle