Back to blog

Announcing the Bug Bounty Program

As recent events have shown us, it's not always enough to have good programmers, open-source software and peer reviews in order to ensure no critical bugs make it through to release. While users of all Free software should always do ones own auditing of software to a level reflecting the amount it is relied upon, there is inevitably some degree of duplication that this regrettably implies across any given software's user base.

With this in mind, and after getting some promising feedback from our previous blog article, Parity is starting a bug-bounty programme. While Parity has initially seed this, our resources are mostly deployed on writing open-source software, so we appeal to the community to help itself and fund this as much as possible.

To minimise any potential (technical) security issues the bounty funds will be initially collected into a cold-wallet account managed by Parity. This will be transitioned into a multi-sig once we have finalised who the trustees/"owners" of the multi-sig will be that will judge and administer any payments to be made from the fund.

For anyone who would like to contribute to the Bug Bounty Programme, please send funds to 0x00f1C77935AC482fC075B55b5990E86ea40851Bb, or if you're using Parity Wallet, the name bugbounty. For additional security, this same address will be tweeted from our official twitter account. Here's a picture of it (the identicon is like a green teddybear on an orange background).

image

The programme will initially cover the Parity Ethereum client for the latest released versions of beta and stable branches, together with staging branches during the QA period prior to a release. It will be a narrow-focussed fund covering specifically security issues, rather than more general setup, crashing or consensus issues. Depending on feedback from donors, this may be extended in scope at a later time, to cover areas of consensus and other clients and infrastructure that do not currently have a bug-bounty programme.

The initial targets of this will be Parity's key management (to ensure secrets cannot be compromised or misused), Parity's auto-update Operations contract and Parity's multi-signature Wallet, the base of which can be found in the contracts repository.

Next up

This is a beginning, but certainly not the end. We will be reaching out to a number of well-respected security professionals and teams to create a club of bounty-hunters. This club could then be called upon by Parity and others in the community to do targeted and well-incentivised reviews of new code. More news when we get it.

Read more

  • On Classes of Stuck Ether and Potential Solutions

    A Brief History

    Since Ethereum went live two and a half years ago, users and developers have often struggled with the usability and building on this new ‘Frontier’ of development.

    The issues began almost immediately as the first users of Ethereum had to grapple with a command line interface that was extremely unforgiving of mistakes.

  • A Postmortem on the Parity Multi-Sig Library Self-Destruct

    On Monday November 6th 2017 02:33:47 PM UTC, a vulnerability in the “library” smart contract code, deployed as a shared component of all Parity multi-sig wallets deployed after July 20th 2017, was found by an anonymous user. The user decided to exploit this vulnerability and made himself the “owner” of the library contract. Subsequently, the user destructed this component.

  • Parity Technologies Multi-Sig Wallet Issue Update

    This week, as has been widely reported, a vulnerability in the Parity Wallet library contract of the standard multi-sig contract was found by an anonymous user. This user managed to gain access to the smart contract, effectively making themselves the owner of the contract.

Back to blog