Increasing the protocol's security before mainnet launch is one of the top priorities for the Hermez team.
That's why during the end of 2020 we conducted two security audits with independent teams.
The first one with Solidified, and the second with Trail of Bits regarding Hermez smart contracts and circuits, which are already published inside their repositories.
We are very grateful to both teams for their audits, as they allowed us to increase the safety of the protocol ahead of launch.
Now, we want to go one step further by launching the Hermez Bug Bounty Program. We welcome white hat hackers, cryptographers and cybersecurity experts to help us improve even more.
TL;DR
All bounty submissions are rated by the Hermez team and rewarded based on vulnerability rating. All payouts will proceed in ETH and are defined as a guideline below.
- Bounty hunters must register filling out this form, providing an ETH address for receiving rewards.
- Information about the protocol’s intended behaviour is available at docs.hermez.io.
- All bug reports must be submitted at [email protected].
- Asking for payment in exchange for vulnerability details will result in immediate ineligibility of bounty rewards.
- If we cannot reproduce your findings, your report will not be eligible for the payout. You must provide a detailed report with all the necessary steps to reproduce your findings.
- Rewards are defined below. Hermez reserves the right to modify the reward ranges.
Policy
Hermez agrees not to initiate legal action for security research performed following all posted Hermez Bug Bounty policies, including good faith and accidental violations.
We will not bring a claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.
If you want to participate in the bug bounty, please fill out this form before engaging in conduct that may be inconsistent with or unaddressed by the policy.
In Scope:
The following properties are in scope for bug bounty rewards.
| URL | Property Name |
|---|---|
| https://github.com/hermeznetwork/contracts | Hermez Network smart contracts Github repositories |
| https://github.com/hermeznetwork/circuits | Hermez Network circuits Github repositories |
Vulnerability Ratings:
Critical
Critical severity issues present a direct and immediate risk to a broad array of our users or to Hermez itself and revolve around stealing funds. They often affect relatively low-level or foundational components in one of our application stacks or infrastructure.
Examples:
- Store a malicious state root.
- Bypass the zkSNARK prover.
- Poseidon hash function breaks.
Major
High severity issues that allow an attacker to harm users in the form of funds lock or causing a stop or severe malfunction of the network, and other issues that would force an urgent smart contracts or circuits upgrade.
Examples:
- Reassure that bids do not perform any DoS on coordinators.
- Possible front-running attacks on auction.
- Denial-of-Service (DoS) against coordinators through L1 transactions.
Minor
Minor severity issues include bugs with less impact but which can still produce harm on users.
Ineligibility
Reports in which we are not interested include:
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website. Vulnerabilities and bugs on the Hermez blog (blog.hermez.io).
- Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers.
- Vulnerabilities in third-party applications that make use of Hermez’s API.
- Vulnerabilities that have not been responsibly investigated and reported.
- Vulnerabilities already known to us, or already reported by someone else (This bounty will be announced multi-platform and reward goes to the first reporter, no matter which one).
- Issues that aren’t reproducible.
- Vulnerabilities that require an improbable level of user interaction.
- Vulnerabilities that require root/jailbreak on mobile.
- Missing security headers without proof of exploitability.
- Suggestions on best practices.
- Software version disclosure.
- Any report without accompanying proof of concept exploit.
- Issues that we can’t reasonably be expected to do anything about.
- The output from automated tools/scanners.
- Issues without any security impact.
Non-security Issues
You can let us know about non-security issues at [email protected].
Rewards
Hermez is eager to work with the community to ensure that every researcher's findings are rewarded fairly, based on the vulnerability's impact on business and overall severity. To this end, it is possible that extraordinarily severe issues or those with extreme impact may be rewarded up to 100 ETH.
| Technical Severity | Rewards |
|---|---|
| Critical | 100 ETH |
| Major | 50 ETH |
| Minor | 3 ETH |
Submission Instructions
1) You must register your participation before engaging in the bug bounty by filling out this form.
2) Send an email to [email protected] with the subject: “Hermez Network Exploit Submission” along with technical severity rating (Critical/Major/Minor).
3) Provide a proof of concept and demonstration of the exploit in your email.
4) The Hermez team will respond with the next steps.
If the issue is critical and demands immediate attention, please send a message that indicates: "Severe Hermez Network Exploit".
Rewards will be paid out in $ETH.
Thank you in advance for your efforts in improving the security of the Hermez Network!
We'll be sharing updates of the bug bounty findings on Twitter and Discord.
