Crypto.com is inviting testers to uncover bugs or security risks for our Crossfire Mainnet Dry-Run. This Bug Bounty Programme will award bounties based on the severity of the risk, where testers can receive USD 5,000 of CRO or more for critical issues.

Target Audience
Open to public

Programme Period
The Crypto.com Chain Crossfire Mainnet Dry-Run - Bug Bounty Programme begins on 18 Jan 2021, 04:00 UTC and ends on 22 Feb 2021, 03:59 UTC.

Severity Level and Bounty Amount
The bounty will be proportional to the severity of the issue, which is determined based on the Common Vulnerability Scoring System Version 3.1 (CVSS v3.1) risk definition and score calculation (Link to CVSS standard). It will be paid in CRO according to the ‘Mainnet Dry-Run - Crossfire’ reward payout scheme below.

Severity Level 

CVSS Score

Bounty (USD)

Low 

0.1 - 3.9

From $100 to $300

Medium 

4.0 - 6.9

From $400 to $700

High 

7.0 - 8.9

From $2,500 to $5,000

Critical 

9.0 - 10.0

From $5,000 and above

In-Scope Components
Any nodes that run our official binaries without any code modification. The Mainnet source code can be found here.

Submissions Eligible for Bounties
Uncovering a bug that poses a significant risk to:

  • The soundness of the protocol;
  • Protocol / implementation compliance to network security;
  • Classical client security, and
  • The security of cryptographic primitives.

Attacking the Mainnet by:

  • Specifying an attack that potentially affects liveness and safety on the network;
  • Eclipsing a particular node and running a double-spend attack;
  • Tampering blockchain history to invalidate transactions;
  • Preventing other nodes from accessing the network, and
  • Shutting down the Mainnet.

Submissions Not Eligible for Bounties
The following submission cases will not be accepted:

  • Any vulnerability or limitation already known by Crypto.com;
  • Any bug found on the Crypto.com website and all the third-level websites on related domains;
  • Any bug found on our other products;
  • Any bug found on the third-party libraries that the Mainnet uses, specifically Cosmos SDK and Tendermint Core;
  • Bugs that have already been submitted by another tester, are already known to the Mainnet team, or have already been publicly disclosed;
  • Any other bug deemed irrelevant or insignificant by Crypto.com;
  • Attacks requiring physical access to a user's device, and
  • Issues that require unlikely user interaction.

Reporting Vulnerabilities
Send your report to bounty@crypto.com and include the following information:

  • Your name;
  • Your Mainnet address and HD path;
  • Description of the bug or attack;
  • Severity level of the bug (based on the CVSS guidelines);
  • Description of the attack scenario;
  • List of the components affected;
  • Report on how to reproduce the bug or attack, and
  • Any other details.

Please use the following format for the email subject line: ‘Crypto.com Mainnet - BUG/ATTACK[SEVERITY LEVEL]’.

The severity level is discretional to your understanding of the issue, which we will then review in detail. Please only submit one report for every issue, as we will not accept double submissions.

Please allow 10 business days for us to respond before taking any further action.

Disclosure Policy
As this is a private programme, please do not discuss any reports or vulnerabilities (even resolved ones) to third parties without express consent of Crypto.com.

Prohibited Behavior
Exploiting protocol and application-level bugs in the Crypto.com Mainnet is prohibited. Any bugs that are discovered should be reported directly to bounty@crypto.com.