Parity Bug Bounty Program

For hunters

Description

We work hard to make sure our systems are bug-free, but acknowledge that we might not catch them all. We call on our community and all bug bounty hunters to help identify bugs in the protocols and software. If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible.

Our Parity Bug Bounty Program allows us to recognise and reward members of the Parity community for helping us find and address significant bugs, in accordance with the terms of the Parity Bug Bounty Program set out below.

Responsible Investigation and Reporting

Responsible investigation and reporting includes, but isn't limited to, the following:

  • Don't violate the privacy of other users, destroy data, etc.
  • Don’t defraud or harm Parity Technologies Ltd or its users during your research; you should make a good faith effort to not interrupt or degrade our services.
  • Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
  • Initially report the bug only to us and not to anyone else.
  • Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
  • In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise your actions might be interpreted as an attack rather than an effort to be helpful.

Eligibility

Generally speaking, any bug that poses a significant vulnerability, either to the soundness of protocols and protocol/implementation compliance to network security, to classical client security as well as security of cryptographic primitives, could be eligible for reward. In addition, security issues with certain services that Parity offer are in scope as well, see below. Please note that it's entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.

The Parity Bug Bounty Program covers security issues identified in the following sets of protocols, code bases and services:

  • Cryptography code: any bugs relating to cryptography, encryption, decryption, and signing of messages (this includes account creation and recovery).
  • Client Code: any bugs which can be used to bring down or take control of Parity clients without direct access to the machine
  • Smart contracts: any bugs which compromise the intended behavior of a smart contract in the Parity suite, particularly bugs which can lead to Ether or ERC20 tokens being transferred.
  • Client Application Security:
    • bugs which can allow DApps running in the Parity browser to obtain privileges not intended for them.
    • DApps should not be able to escape the "sandbox" they run in.
  • Whisper code: any errors in the implementation of encryption
  • Parity’s ID background-check service PICOPS:
    • any bugs in the cryptography related to creating accounts and signing transactions.
    • any bugs that could result in compromising live Onfido tokens, private key of a trusted account used to call into the certifier contract, or other secrets.
    • any bugs or vulnerabilities that could be exploited to bring the service down, extensive DDOS attacks excluded.
    • any bugs or vulnerabilities that would result in the service being unusable for some or all users, e.g.: being able to prevent users from making background checks after paying the fee, without having access to those users’ computers.

Ineligibility

  • The Parity websites https://paritytech.io/ and https://parity.io/ along with https://polkadot.io/
  • Bugs which have already been submitted by another user or are already known to the Parity team or have already been publicly disclosed
  • Parity Technologies’ development team, Parity Technologies' employees and any other person employed in any way by the company, directly or indirectly, are not eligible for rewards.
  • Anyone engaged by a user of the Parity codebase to review or audit Parity code (which has been specifically developed for that user) in exchange for remuneration will not be eligible for rewards.

Reward

Bug Bounty Hunter program rewards are at the sole discretion of Parity Technologies.

  • The minimum reward for eligible bugs is the equivalent of 100 USD in ETH/BTC.
  • Rewards over the minimum are at our discretion, but we will pay significantly more for particularly serious issues, i.e. that the identified issue could put a significant number of users at risk of severe damage, monetary or otherwise.
  • Each bug will only be considered for a reward once.

How to report a bug

  • Send your bug report to [email protected], including the information below, or use the form on our website:
    • your name
    • description of the bug
    • Attack scenario (if any)
    • components
    • reproduction
    • other details
  • Try to include as much information in your report as you can, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept
  • On the email subject, please use the following format: PARITY BUGBOUNTY_[SEVERITY LEVEL] (the severity level of the issue is discretional to your understanding of the submission)
  • Please allow 2 business days for us to respond before taking any further action

Once the issue has been submitted, our team will review the information, assign a severity level (that may or may not be similar to your choice) and redirect this to one member of the Bug Bounty Program team, who will contact you with more details on the next steps. You will be asked to send proof of identity and an ETH/BTC address to be rewarded. You will get rewarded from the bug bounty wallet created for this program.

The Parity Bug Bounty Program is a discretionary rewards program for our active community to encourage and reward those who are helping to improve Parity’s software. It is not a competition. We can cancel the program at any time and awards are at the sole discretion of Parity Technologies development team. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists. You are responsible for all taxes payable in connection with the receipt of any rewards. All rewards are subject to the laws of England and Wales. Finally, your testing must not violate any law or compromise any data that is not yours.

We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty where appropriate. If you do your best to follow these guidelines in discovering and disclosing a vulnerability, we will not consider your actions as an attack and won’t take any legal action against you.

Governing Law and Jurisdiction

Any obligations arising out of or in connection with the Parity Bug Bounty Program or its subject matter will be governed by and construed in accordance with the law of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Parity Bug Bounty Program.

Customer Services

If you have a query or complaint about the Parity Bug Bounty Hunter Program, please contact us using any of the contact details below: [email protected] or [email protected]




For contributors

Parity Technologies’ Bug Bounty Program Contribution Terms & Conditions

Parity Technologies would like to allow its users and supporters to make a financial contribution to help it in its mission: developing the fastest and most secure way of interacting with the Ethereum network.

Contributions will be used by Parity Technologies to reward Bug Bounty-hunters under its Bug Bounty Program (each a “Contribution”), as described in the Bug Bounty Program Terms and Conditions.

These Bug Bounty Contribution Terms & Conditions govern the relationship between Parity and each contributor.

Contributors

Contributors who are individuals must be aged 18 or over. Each contributor represents and undertakes to comply with all local and relevant laws. Parity disclaims all liability (to the fullest extent possible at law) for any liabilities that might arise.

Parity reserves the right to:

  • request the full name and contact details of the contributor;
  • request from the contributor any other information that it considers to be necessary or desirable to determine the provenance of the Contribution;
  • undertake any further investigations it deems fit to determine the provenance of the Contribution;
  • publicly disclose the identity of the contributor and the amount of the Contribution; and
  • if the contributor refuses to provide any information requested by Parity, Parity may refuse and return the Contribution to the contributor at its discretion.

Making Contributions

By making a Contribution, contributors agree and acknowledge that:

  • the Contribution is provided to Parity Technologies as an irrevocable gift
  • the Contribution will be used to reward Bug Bounty-hunters under Parity Technologies’ Bug Bounty Program, as described in the Bug Bounty Program Terms and Conditions; and
  • each Contribution is made subject to these terms and conditions, which shall constitute a legally binding agreement between each contributor and Parity (“Bug Bounty Contribution Terms & Conditions”), entered into by each party in consideration of the other’s obligations under these Bug Bounty Contribution Terms & Conditions.

All Contributions will be made through https://paritytech.io. Contributions will be accepted by Parity Technologies for the period during which this site is live.

Contributions received by Parity will be deposited in a wallet created specifically for the Bug Bounty Program under address 0x00f1C77935AC482fC075B55b5990E86ea40851Bb:

Bug Bounty Address

Each Contribution will be identifiable by a unique merchant identification number and accounted for separately by Parity.

Once a Contribution is received by Parity, Parity will be legally and beneficially entitled to the full amount of the Contribution and contributors will have no entitlement to the return of a Contribution in any circumstance other than as specified in these Bug Bounty Contribution Terms & Conditions.

Contributors will receive no benefit in return for any Contribution and shall have no rights to influence the work of Parity.

Contributions to Parity are not charitable donations under the law of England & Wales and, as far as Parity is aware, contributors will not be entitled to any tax relief or “gift aid” in respect of any Contributions in the United Kingdom or in any other jurisdiction worldwide.

Refunds and cancellation

Parity reserves the right to refuse and return any Contribution in its absolute discretion. Contributors will be entitled to receive a refund of a Contribution for up to 14 days after receipt of payment by notifying Parity by email at [email protected] Any requests for a refund of a Contribution received by Parity following expiry of the 14-day period will be ineligible.

Any refused or returned Contributions will be repaid into the wallet from which the Contribution was made.

Confidentiality and publicity

Contributors shall not be entitled to publicise their Contribution without the prior written consent of Parity Technologies.

Data Protection and Privacy

Any personal information about a contributor obtained by Parity as a result of a Contribution being made will only be used to process the Contribution.

Exclusion of Liability

Neither Parity Technologies nor any affiliated person, employee, agent, officer or director shall be liable for any loss suffered by any contributor or other person arising out of or in connection with a Contribution, whether direct or indirect, including loss of revenue, loss of profits, loss of business or anticipated savings, loss of use, loss of goodwill, loss of data, and whether caused by tort (including negligence), breach of contract or otherwise, except in respect of any liability for death or personal injury or any other liability which cannot be excluded or limited under applicable law.

Waiver

If Parity Technologies fails to assert a right or provision under these Bug Bounty Program Terms & Conditions, it will not constitute a waiver of that right or provision.

Third-party rights

These Bug Bounty Program Terms & Conditions are between Parity Technologies and Contributors. They are not intended to confer any contractual benefit on any other person pursuant to the terms of the Contracts (Rights of Third Parties) Act 1999.

Severance

Each paragraph of these Bug Bounty Program Terms & Conditions operates separately. If any provision of these Bug Bounty Program Terms & Conditions is held by a court of competent jurisdiction to be invalid, illegal or unenforceable for any reason, that provision shall be eliminated or limited to the minimum extent such that the remaining provisions of these Bug Bounty Program Terms & Conditions will continue in full force and effect.

Entire Agreement

These Bug Bounty Program Terms & Conditions, as may be amended from time-to-time, constitute the entire agreement between the contributor and Parity Technologies in respect of any Contributions made by that Contributor.

Governing Law and Jurisdiction

These Bug Bounty Program Terms & Conditions and any non-contractual obligations arising out of or in connection with them or their subject matter will be governed by and construed in accordance with the law of England and Wales.

Each Contributor and Parity Technologies irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement, its subject matter or formation.

Customer Services

If you have a query or complaint about a Contribution, please contact us using any of the contact details below: [email protected], [email protected]