Bug Bounty and reporting of issues
Quicksilver recognizes the importance and value of security researchers’ efforts in improving community safety. We reward responsible disclosure of security vulnerabilities via our bug bounty program, described on this page.
The bug bounty program covers all the code and services associated with Quicksilver.
Taking part in the Bug Bounty Program policy requires researchers to adhere to a few rules, defined below:
- 1.Providing Quicksilver with a reasonable amount of time to fix the vulnerability prior to sharing details of the vulnerability with any other party.
- 2.Preserving the confidentiality and integrity of any data acquired during the security research process.
- 3.Not defrauding Quicksilver in the process of participating in this program.
- 4.Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Quicksilver.
- 5.Reporting vulnerabilities with no conditions, demands, or ransom threats.
- 6.Complying with and passing a KYC or KYB process
Quicksilver considers Social Engineering attacks to be a violation of the rules of the program.
Bug submission reports must be done in a secure way. We use PGP encryption to communicate with our security researchers.
Before you submit a report you will need to have a PGP keypair for secure communication with Ingenuity.
You can find ingenuity public key here <add link> and instructions to generate and use your keys here
All submissions must be provided using the template below:
- Email address
- PGP public key
Add a detailed description of the issue, including but not limited to, the impact on the network or end users, the software version(s) affected, current VS expected behaviour, likelihood of exploit, alternatives or workarounds to the vulnerability, etc.
The affected urls or area of the application where the issue exists.
- Risk: Something
- Difficulty to Exploit: Somethingelse
- CVSS3 Score
The Quicksilver team will be reevaluating this after the submission of the report and the reproduction of the steps provided.
- What kind of attacker?
- Do they need authentication?
- Who else does it affect?
Steps to reproduce/PoC
A clear outline of the steps required to execute the payload as an attacker, this can include how to set up the payload and launch it.
- Show, Introduce, Discuss
If applicable, please include a list of all the prerequisites for reproducing the vulnerability (eg: software used for debugging, special node configurations, etc).
Affected Demographic/User Base
- Explain who this issue affects?
- Is it everyone or just a select number of users?
- How can this occur?
- How do you fix the issue?
- What are the recommended remediation actions required to successfully fix issue x?
Include additional reading for the client to further backup the issues explained or elaborate more on other potential issues chained to the one identified.
KYC / KYB requirement
Quicksilver requires KYC / KYB to be done for all researchers submitting a report and wanting a reward above a certain dollar level.
The information required (photographic ID, utility bill) is assessed by a third party (Synaps). Researchers that are business entities will have to provide additional information (e.g., directors, owners). Please anticipate that Synaps might require documentation in English, or in certified translations to it. The collection and assessment of this information will be done by Synaps - Quicksilver will not have access to KYC / BYB info.
Above a certain dollar level, payouts are contingent on successfully passing a KYC or KYB process. Payouts will be handled by the Quicksilver team directly and are denominated in USD. However, payouts are done in QCK or USDC.
Please note that this is the first iteration of the Bug Bounty Program Rewards and that it might evolve in the future - the payout ranges below are for informational purposes only.
All vulnerabilities marked in the Security Audit reports by Halborn Security and Orijtech are not eligible for rewards.
Vulnerabilities associated with chains connected to quicksilver should be reported to the specific chains’ security teams.
Low level: Up to USD 500
Medium level : Up to USD 2,500
High level : Up to USD 20,000
Critical level : Up to USD 50,000
Applications and websites (quicksilver webapp, icq, xcclookup, authz-pusher)
Low level: Up to USD 100
Medium level : Up to USD 500
High level : Up to USD 1,000
Critical level : Up to USD 2,500
Other infrastructure and services
Low level: Up to USD 200
Medium level : Up to USD 1,000