Bug Bounty Program

The Flux Bug Bounty Program awards participants who invest their time into finding bugs or exploits in Flux products.

What can you earn?

All bugs will be evaluated according to their severity and rewarded accordingly.

Severity                                                                 Reward

Critical                                                                   up to 10000 FLUX

High                                                                       up to 1000 FLUX

Medium                                                                 up to 500 FLUX

Low                                                                        up to 100 FLUX

How it works

You will receive rewards based on the severity of the issue found if you:

  1. Make all possible effort to not interrupt or degrade our service.
  2. Do not attempt to gain unauthorized access to user accounts, assets or information (use your own account/accounts to test against).
  3. Do not copy or modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
  4. Do not exploit a security issue you discover beyond the point of validation on your own accounts/nodes.
  5. Consent to be added to a list published of researchers who have submitted valid security reports.
  6. However, should you wish to remain anonymous, we will respect your privacy. You must inform us at the time of submission, and we will not add your name to aforementioned list.
  7. We reserve the right to determine timeframes for publishing reports (and accompanying updates) pertaining to each instance. However, we will provide best effort information to you on all such issues.

Additionally, in order to qualify for rewards you must adhere to the following responsible disclosure policy:

  1. For Zelcore related issues: exploits and bugs are restricted to your own account or instance of the Zelcore wallet and have been carried out for validation purposes only.
  2. For website related issues: No data is removed from the website upon discovery.
  3. The Flux Blockchain and nodes: Any and all exploits be confined to a private testnet or regtest for validation purposes. Any code modifications carried out to run exploits need to be disclosed along with the effects for full validation.
  4. For the FluxOS distributed operating system, any and all exploits are confined to their own nodes for validation purposes. Should additional nodes be required to fully validate more serious exploits, the Flux team will assist with a private testnet.
  5. Submissions can only be made to [email protected] using the attached PGP keys for encryption is a requirement.
  6. Include an email for responses in your report.
  7. Adhere to timeframes laid out in initial confirmation of report emails.
  8. We do have a no-reply policy on improper submissions, none severity issues and spam.

Please note that we have the right to remove you from the bug bounty program and disqualify you from receiving any bounty rewards if you are in violation of any national, state, or local law or regulation.

Qualifying Bugs

The following list is by no means exhaustive, so if you have a bug that is not on either the qualifying or non-qualifying lists, report it, it will be covered.

-Injection flaws such as SQL, noSQL, Mongodb or OS injection that tricks command interpreter into executing unintended commands without proper authorization.

-Broken authentication/session management that allows compromise of passwords, keys or session tokens.

-Sensitive data exposure due to improper protection of data via insecure API or flaw in cryptography implementation.

-Weak or missing access controls enable attackers to gain unauthorized access to restricted resources or perform actions that should be prohibited based on their permissions.

Non-qualifying bugs

Non-original or previously disclosed/reported bugs (with fixes currently underway).

Non-technical attacks such as social engineering, phishing, or physical attacks against entities or infrastructure.

Any degrading/damaging the reliability or integrity of our services (such as DDoS attacks, man in the middle attacks, spamming, and similar questionable acts).

Any software not directly produced by the Flux team.

Domains hosted by third parties (e.g.: Github, Gitlab, etc).

Subdomains operated by third parties (e.g: info.runonflux.com).

Any Flux branded services operated by third parties.

Any applications running on FluxOS *.app.runonflux.io and *.app2.runonflux.io

How to report a bug

Send an email using the below PGP keys to [email protected] and no other email address. Failing to use the attached PGP keys for the bug report will invalidate any security issues higher than level 2 on the CVSS scale.

Process to follow

  1. Write up a report on your findings.
  2. PGP Encrypt the report with keys from URL.
  3. Within 24 hours you will have an acknowledgement if your reported submission is valid and adheres to responsible disclosure policy.
  4. Adhere to timeline and additional information requests from the Flux team outlined in the acknowledgement email.
  5. Discuss publication times and names.
  6. Collect bounty.
  7. Get published.

PGP key

—–BEGIN PGP PUBLIC KEY BLOCK—–
Comment: User-ID: Flux Security
Comment: Fingerprint: F3244FFC7207DB2CAA355DF506139DA3A0B13EC1

mQGNBGLPZCQBDACjjaGtugWn32+GnSi17zrqp3fdvJ8PAK7s4NX4Z8mQK+H1iEoa FygGSpgmWEqEuDmV/yeGxyn9wUmvV7ZF7rVqWG64v3BU/VDGnZDTOaTllFjCTFTw AqO40YcotTMcZulPqQGLNFTbnfl4hMMzIevF9/AtccAUIMJlD14PiUWPh27A56f1 wgsYgY2qQb8+huC6crLXUbWLN7vxUrVEynMif9t1dDH40FD2iRGUpx0ylD5EYsq2 GuStEzq/G/3cZLXdE5AJ9ZraymKXaAtHMQY6lbgSuPIr7ChDoy864OEAcS5on2J7 yaqAfspWegAGa6TqDRVhuVLHorbU5xRCORUDVXIbhXFqAuicHl+ZNqtNFjH0hf4w f5jU8FE+P4sinWU7dIXg/0qkb7MqhvhnRofwy17pQgNq239p28lP6j4EYkMfkdK1 adnPCHGOGzIFdqptmdEictHBxAYRtyiVooL4C58jKz2VNfd4a3cS08JKkoZmZbJw Ns1RchnTokMQoK8AEQEAAbQlRmx1eCBTZWN1cml0eSA8c2VjdXJpdHlAcnVub25m bHV4LmlvPokB1AQTAQgAPhYhBPMkT/xyB9ssqjVd9QYTnaOgsT7BBQJiz2QkAhsD BQkPDH2sBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEAYTnaOgsT7BTngL/A4T GNOqjJGRRH4pE/F49siZ+7n9z1jpOdDdWNxLd8HXeY7XzPROSz2QX3ZKlHEShayG cmysAD2TCid6AAGi3YBXzhWZt67Us1zFN8TehBdWnr60dEiLhxP/aBds83FCfLyN MlTgyzB8zY4o8ybj903mNAZnqpc4q0/bZCnStw5vVVvNKL1kmsJxu4TiIV7lZuFc JYz330BCC0iQg+xtNrozqfgi+gSExq4QpuYHGHHmV2PzgInasYeYmUUG6N+ymxVo +bbwj4ypTm4X36XOomiOImWGV5XSZXh0n3Rw0GIgyyDGCJGNCmd7jL2oTSdz93wd Qnz1zObUhrCW/FZRkf+LuXLsk0akcgd/qQPQ54rwUwSzbCKxwqijDrx/qEKVil++ /6aq6MdN26gjZkd86ehbrfgkemFX0suWkLxSemS4TDEeYJu9fVuMIzgflELf8rk/ 4rRfLaSu7OVxX8wN6gpSz5N93A97mkoWRh18UZIn+r2qQgtxSN1pClQxYRG1MrkB jQRiz2QkAQwAwJ3o5xaozz3/iYE1gSeAwKYCQvzbrIqzcs/C1QmI35QpQ6JLytZ9 I2ojEk32T8H6/VWTm50o+fcDGUi1a5CL+p6ENv1epK5vqTBs2uPZMUop2ZwSgRgf KVfsb3TSqiq/mpbD5HOZTMDkekVKyIZr3uX6cAjfqM6flcb3vnw/ogdJZD9CKXGv di+ew+xl9MnYdcuhcOpN2RQMfoW28uLMKQaDh5aFag27oVdF2rTTlzwLsXTH7DqO vJjD4UchlAGGIifWV6Y33jCepNoRNqyVs0QMTEgkeobJO3tsMNVrbJ+l8RytKG13 5G9oJqxjzAu/9CcSvUT6tuzWSwp7+Ck4O0uRpdPe+DGq+5bLKk1raC48e97LPS7v f7J6ouRolCn9xNwxOHRkEbsEK852bzp+a6FI3JJwY/2BySffJjsrsbm9eIJeB5ot MC1cg/XyH7kVUDF9mRos5w+eTvyCsrevi97QSw1KXXm6oo//vXNCMS2DIRN+8IzB 7S6xL67MBhaxABEBAAGJAbwEGAEIACYWIQTzJE/8cgfbLKo1XfUGE52joLE+wQUC Ys9kJAIbDAUJDwx9rAAKCRAGE52joLE+wTp7C/9Ch/5PPi/Gkn8LX/tTPITaQWg1 oOQaJn1LN+vi9OoNeKU+/W4mWlJI1k6SdLR4KWJf4vrl6ScWDkQ0Lr5F5F4g3DBP ZGHR21zcqQuJtuNWMmjrIKaek9KV3zV6LuypVUz1T77Kd3fT708ApyT4OHw6UyiM prZnm4MnWEmzPzcjh55d2nf9fuZmXaQZk7UJIIf46zAfikFJ8EIFCBd7GwtNVEOE YmQIOw6XoOu1Er9U/gin2Twv2QA/K/n7gwg3Ag4qBsJjRs6HcIhrl0b2Akj+TuQ9 FoUuRAtrrOovgM0uddIJySApevuVjwDY4BJSY/4q2OeZ4q07zDaNByJoXFSgcjDc z/gvy9uC+A2HCWmJg68b8DyjFV2o2h1Ne7Ya20eTc4rssTV//DyEtQNJ47pppltA oMzQ2D464k9RFmPdPVVwIJJ/SV4mWhSrTHr6DRtLP3f0qouIHKaYQZxjWYbfawfd tzpTvatifFlvMouyFUaglUM26s685NAcKfEFgJw= =rgC5

—–END PGP PUBLIC KEY BLOCK—–