Back to blog

Announcing the Bug Bounty Program

As recent events have shown us, it's not always enough to have good programmers, open-source software and peer reviews in order to ensure no critical bugs make it through to release. While users of all Free software should always do ones own auditing of software to a level reflecting the amount it is relied upon, there is inevitably some degree of duplication that this regrettably implies across any given software's user base.

With this in mind, and after getting some promising feedback from our previous blog article, Parity is starting a bug-bounty programme. While Parity has initially seed this, our resources are mostly deployed on writing open-source software, so we appeal to the community to help itself and fund this as much as possible.

To minimise any potential (technical) security issues the bounty funds will be initially collected into a cold-wallet account managed by Parity. This will be transitioned into a multi-sig once we have finalised who the trustees/"owners" of the multi-sig will be that will judge and administer any payments to be made from the fund.

For anyone who would like to contribute to the Bug Bounty Programme, please send funds to 0x00f1C77935AC482fC075B55b5990E86ea40851Bb, or if you're using Parity Wallet, the name bugbounty. For additional security, this same address will be tweeted from our official twitter account. Here's a picture of it (the identicon is like a green teddybear on an orange background).

image

The programme will initially cover the Parity Ethereum client for the latest released versions of beta and stable branches, together with staging branches during the QA period prior to a release. It will be a narrow-focussed fund covering specifically security issues, rather than more general setup, crashing or consensus issues. Depending on feedback from donors, this may be extended in scope at a later time, to cover areas of consensus and other clients and infrastructure that do not currently have a bug-bounty programme.

The initial targets of this will be Parity's key management (to ensure secrets cannot be compromised or misused), Parity's auto-update Operations contract and Parity's multi-signature Wallet, the base of which can be found in the contracts repository.

Next up

This is a beginning, but certainly not the end. We will be reaching out to a number of well-respected security professionals and teams to create a club of bounty-hunters. This club could then be called upon by Parity and others in the community to do targeted and well-incentivised reviews of new code. More news when we get it.

Read more

  • Announcing Parity 1.8

    Winter may be coming but the moment you’ve all been waiting for has finally arrived: Parity Tech is excited to announce the release of the BIGGER and BETTER 1.8.0. This release will see light client improvements: Proof-of-Authority chain compatibility, even with dynamic authority sets, and also feature compatibility with the Whisper v6 wire protocol.

  • Parity Technologies launches PICOPS!

    PICOPS (Parity ICO Passport Service) is a new service, created and hosted by Parity Technologies which enables members of the public worldwide to associate a single Ethereum address with their unique identity; more precisely, the service offers a means to validate that the owner of an Ethereum wallet has passed an ID background check stating that they are not part of a restricted set of users

  • Parity Bitcoin is now supporting SegWit, SegWit2x and Bitcoin Cash

    The Parity Bitcoin client (pbtc), released in April this year, is a full-node implementation of the Bitcoin protocol written in Rust.

Back to blog