▶️Bug Bounty and reporting of issues

Quicksilver recognizes the importance and value of security researchers’ efforts in improving community safety. We reward responsible disclosure of security vulnerabilities via our bug bounty program.

The bug bounty program covers all the code and services associated with Quicksilver.

Taking part in the Bug Bounty Program policy requires researchers to adhere the following rules:

  1. Providing Quicksilver with a reasonable amount of time to fix the vulnerability prior to sharing details of the vulnerability with any other party.

  2. Preserving the confidentiality and integrity of any data acquired during the security research process.

  3. Not defrauding Quicksilver in the process of participating in this program.

  4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Quicksilver.

  5. Reporting vulnerabilities with no conditions, demands, or ransom threats.

  6. Complying with and passing a KYC or KYB process

Social Engineering attacks are a violation of the rules of the program.

Bug submission format

Bug submission reports must be done in a secure way. We use PGP encryption to communicate with our security researchers.

Before you submit a report you will need to have a PGP keypair for secure communication with Ingenuity.

You can find the Ingenuity public key on Github and instructions to generate and use your keys here.

All submissions must be provided using the template below:

Contact information

  • Email address

  • PGP public key

Issue Description

Add a detailed description of the issue, including but not limited to, the impact on the network or end users, the software version(s) affected, current vs. expected behaviour, likelihood of exploit, alternatives or workarounds to the vulnerability, etc.

Affected URL/Area

The affected URLs or area of the application where the issue exists.

Risk Rating

  • Risk:

  • Difficulty to Exploit:

  • CVSS3 Score

  • Authentication

The Quicksilver team will be reevaluating this after the submission of the report and the reproduction of the steps provided.

Impact

  • What kind of attacker?

  • Do they need authentication?

  • Who else does it affect?

Steps to reproduce/PoC

A clear outline of the steps required to execute the payload as an attacker, this can include how to set up the payload and launch it.

  • Request

  • Response

  • Show, Introduce, Discuss

  • Screenshots

If applicable, please include a list of all the prerequisites for reproducing the vulnerability (eg: software used for debugging, special node configurations, etc).

Affected Demographic/User Base

  • Explain who this issue affects

  • Is it everyone or just a select number of users?

  • How can this occur?

Recommended Fix

  • How do you fix the issue?

  • What are the recommended remediation actions required to successfully fix issue x?

References

Include additional reading for the client to further backup the issues explained or elaborate more on other potential issues chained to the one identified.

KYC / KYB requirement

Quicksilver requires KYC / KYB to be done for all researchers submitting a report and wanting a reward above a certain dollar level.

The information required (photographic ID, utility bill) is assessed by a third party (Synaps). Researchers that are business entities will have to provide additional information (e.g., directors, owners). Please anticipate that Synaps might require documentation in English, or in certified translations to it. The collection and assessment of this information will be done by Synaps - Quicksilver will not have access to KYC / BYB info.

Bug Bounty Program Rewards

Above a certain dollar level, payouts are contingent on successfully passing a KYC or KYB process. Payouts will be handled by the Quicksilver team directly and are denominated in USD. However, payouts are done in QCK or USDC.

Please note that this is the first iteration of the Bug Bounty Program Rewards and that it might evolve in the future - the payout ranges below are for informational purposes only.

Scope

All vulnerabilities marked in the Security Audit reports by Halborn Security and Orijtech are not eligible for rewards.

Vulnerabilities associated with chains connected to quicksilver should be reported to the specific chains’ security teams.

Payout ranges

Blockchain (quicksilverd)

Low level: Up to USD 500

Medium level : Up to USD 2,500

High level : Up to USD 20,000

Critical level : Up to USD 50,000

Applications and websites (quicksilver webapp, icq, xcclookup, authz-pusher)

Low level: Up to USD 100

Medium level : Up to USD 500

High level : Up to USD 1,000

Critical level : Up to USD 2,500

Other infrastructure and services

Low level: Up to USD 200

Medium level : Up to USD 1,000

Last updated