Comment on page

Bug Bounty and reporting of issues

Quicksilver recognizes the importance and value of security researchers’ efforts in improving community safety. We reward responsible disclosure of security vulnerabilities via our bug bounty program.
The bug bounty program covers all the code and services associated with Quicksilver.
Taking part in the Bug Bounty Program policy requires researchers to adhere the following rules:
  1. 1.
    Providing Quicksilver with a reasonable amount of time to fix the vulnerability prior to sharing details of the vulnerability with any other party.
  2. 2.
    Preserving the confidentiality and integrity of any data acquired during the security research process.
  3. 3.
    Not defrauding Quicksilver in the process of participating in this program.
  4. 4.
    Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Quicksilver.
  5. 5.
    Reporting vulnerabilities with no conditions, demands, or ransom threats.
  6. 6.
    Complying with and passing a KYC or KYB process
Social Engineering attacks are a violation of the rules of the program.

Bug submission format

Bug submission reports must be done in a secure way. We use PGP encryption to communicate with our security researchers.
Before you submit a report you will need to have a PGP keypair for secure communication with Ingenuity.
You can find the Ingenuity public key on Github and instructions to generate and use your keys here.
All submissions must be provided using the template below:
Contact information
  • Email address
  • PGP public key
Issue Description
Add a detailed description of the issue, including but not limited to, the impact on the network or end users, the software version(s) affected, current vs. expected behaviour, likelihood of exploit, alternatives or workarounds to the vulnerability, etc.
Affected URL/Area
The affected URLs or area of the application where the issue exists.
Risk Rating
  • Risk:
  • Difficulty to Exploit:
  • CVSS3 Score
  • Authentication
The Quicksilver team will be reevaluating this after the submission of the report and the reproduction of the steps provided.
  • What kind of attacker?
  • Do they need authentication?
  • Who else does it affect?
Steps to reproduce/PoC
A clear outline of the steps required to execute the payload as an attacker, this can include how to set up the payload and launch it.
  • Request
  • Response
  • Show, Introduce, Discuss
  • Screenshots
If applicable, please include a list of all the prerequisites for reproducing the vulnerability (eg: software used for debugging, special node configurations, etc).
Affected Demographic/User Base
  • Explain who this issue affects
  • Is it everyone or just a select number of users?
  • How can this occur?
Recommended Fix
  • How do you fix the issue?
  • What are the recommended remediation actions required to successfully fix issue x?
Include additional reading for the client to further backup the issues explained or elaborate more on other potential issues chained to the one identified.
KYC / KYB requirement
Quicksilver requires KYC / KYB to be done for all researchers submitting a report and wanting a reward above a certain dollar level.
The information required (photographic ID, utility bill) is assessed by a third party (Synaps). Researchers that are business entities will have to provide additional information (e.g., directors, owners). Please anticipate that Synaps might require documentation in English, or in certified translations to it. The collection and assessment of this information will be done by Synaps - Quicksilver will not have access to KYC / BYB info.

Bug Bounty Program Rewards

Above a certain dollar level, payouts are contingent on successfully passing a KYC or KYB process. Payouts will be handled by the Quicksilver team directly and are denominated in USD. However, payouts are done in QCK or USDC.
Please note that this is the first iteration of the Bug Bounty Program Rewards and that it might evolve in the future - the payout ranges below are for informational purposes only.
All vulnerabilities marked in the Security Audit reports by Halborn Security and Orijtech are not eligible for rewards.
Vulnerabilities associated with chains connected to quicksilver should be reported to the specific chains’ security teams.
Payout ranges
Blockchain (quicksilverd)
Low level: Up to USD 500
Medium level : Up to USD 2,500
High level : Up to USD 20,000
Critical level : Up to USD 50,000
Applications and websites (quicksilver webapp, icq, xcclookup, authz-pusher)
Low level: Up to USD 100
Medium level : Up to USD 500
High level : Up to USD 1,000
Critical level : Up to USD 2,500
Other infrastructure and services
Low level: Up to USD 200
Medium level : Up to USD 1,000
Last modified 5mo ago