Firo Vulnerability Bounty Program

We are happy to announce the official Firo vulnerability bounty program to encourage the developer/researcher community to review and contribute to our code.

This document is outdated. For up to date information about our vulnerability bounty program see the the dedicated page

We are happy to announce the official Firo vulnerability bounty program to encourage the developer/researcher community to review and contribute to our code.

We are only accepting reports in relation to Firo’s master branch. For the avoidance of doubt, we are not accepting submissions for website vulnerabilities or attacks that require >50% of the hashing power.

Vulnerability reports are to follow HackerOne’s Disclosure Guidelines. Failure to follow these guidelines and the rules below may result in the bounty not being honored.

Vulnerabilities are organized into three categories.

Severity Description Example Bounty (USD) in FIRO equivalent
Critical A critical vulnerability is such that impacts the Firo network as a whole, has potential to break the entire Firo network, completely removes the anonymity of Lelantus, results in the loss of Firo, or is on a scale of great catastrophe. A vulnerability that allows forged Lelantus spends to inflate supply. 10,000 up to 50,000
Major A major vulnerability is such that it impacts individual nodes, routers, wallets, reduces the anonymity of Zerocoin significantly (timing attacks excluded) or must be carefully exploited. For e.g. the paper Burning Zerocoins for fun and profit https://www.chaac.tf.fau.de/files/2018/04/attack-cryptocur.pdf 1,000 up to 10,000
Minor A minor vulnerability is one that has low impact or cannot be exploited easily.   100 up to 1,000

If there is a dispute over the severity of a vulnerability, the Firo team’s assessment will be definitive.

Submission Procedure

Submissions should be sent to

If the vulnerability is major or critical, the submission must be sent in PGP encrypted e-mail to the following address:

Please remember to include your PGP public key so we can have encrypted communications.

FAQ

How long till I receive a response?

We aim to respond to all vulnerability reports within 3 working days. Upon responding, we will make inquiries to confirm whether the submission is indeed a vulnerability. In either case, we will respond to confirm the vulnerability or provide a reason for why it is not a vulnerability.

How would the vulnerability be fixed?

Upon confirmation of the vulnerability, a private GitHub repo will be opened where the patch will be worked on together/reviewed with the researcher. Once this is completed, the vulnerability disclosure will be drafted and the release date discussed.

I reported a vulnerability but have not received a response!

Please allow up to 3 working days for an initial response. Also, realize that spam filters and email, in general, can sometimes be problematic. If you ever feel we are not communicating in a timely fashion, definitely let us know.

Would I receive credit for the submission?

By default, we will disclose the researcher that found the vulnerability along with the amount awarded. If you wish this information to be kept private, please let us know and we will honor your request.

How are bounty payments made?

All bounties will be paid in Firo based on the prevailing USD rate as determined by Coingecko’s average price at the time the patch is released.

What is the PGP Public key?

    —–BEGIN PGP PUBLIC KEY BLOCK—–
    Comment: Fingerprint: 96D83C503C974E59C79B15F0FE90742A2CEB91F1
    mQINBFiysEwBEACz0/eTnQUJVBxy5FoPnkBe2BcLYTmDaKhlzMCGSDeGMSDJSjum
    Z5JLmI2jgNs3GBYFPPXZG7kh+V98j7rN22yquylarFq6dI2MljfRuRUrAoHFQwe2
    mV6kP98i8VmjkBaDTqMAqkOZirJTbxQ2MgyxQYF/QhrGVlaeYPdaLojAhnToq/SQ
    jkZCopSO142riF5uAL7bX96FaZY9IY8/h8kgiAGlQCRtvllmy1+bRhIIH1XowzUh
    pkrsNpGQnwrbjcVJSZEAHz2teT79FNPUUvmouNFxjB2EbB/P6/ZtA+gRnEjcKeVw
    kmGkAFWrTfKHucQVMOuIObGiqwaSD0M8loyFZQt8ahvGntUEmWf3A6Md622mnWDs
    zKa4qO0URC3fzVMZepSLxChePEUUN0nwh+OBEeqowsOSd0FzKfs+B2pzrix6mp3o
    XwhsLeWgaVGclNtkcqx/SHc+dLdZj7hoGFAsdqRHXi5l6+mhtonRj1zMo6z5xOp3
    +D88hTT6l6M87hAB1GcfOzh+27qn2I0vX2A6o9zkM17y9igg1wmrXWYIgIchvaKD
    zrkB1JHO2bBBWwbQNpnWxDT2U2dWATrW0hozGHoLRD0AUHSolhNL+5Je+0ACXGs4
    htm3h7a4c9KVOGJwifqEau6Y9WtlEpkVL+qH5QYQ4mAKbJp9MlEodC8jcQARAQAB
    tBxSZXViZW4gWWFwIDxyZXViZW5AemNvaW4uaW8+iQI1BBABCAApBQJYsrBYBgsJ
    CAcDAgkQ/pB0KizrkfEEFQgCCgMWAgECGQECGwMCHgEAAD8dD/9BA+2nLq4v8KFX
    IDyikER5gikEKKs1d8ojwFLo4pIxxnwp73ZMOkbg1+zxL5Wr0uPK2/2mjgqofHPY
    HTNaUuyRMviOYJlaeHLTmXOgcEhHl9bQPKw1ShCsSpqSAB+i8mwqx+zzzNkRx8Qd
    V1DYKxxZxUfvUlMcS2tfNoiZZhBHg5hySQf1mZ0RXbc5ku0hcfrOz9mB+lZTDOhY
    +HzIc6lmhDgVdaj7lmtVE+V1V3Fm5qaWdrdmuZetgM9gCm+GdyoRvsTiUO9LE0rV
    cUucO7ESthxPmeXt8ckybAEcbdYTyHo96VYn+loyq7/u6VwdG0MVYPUSR5sU8y3H
    9lF1qpvSaKwI0FSQu4y+Nyd6/O4q/OxHk2TjXmTHpTHqRD7cHZp9cz2CO6e1Hg9g
    xsrZWj7OQavx0X0EbOYm4oTdvz1YljjNNKVmyLvwf4+1arT5c9m7PwkeyxB9ZNTf
    AgkLFSb+GMmsXOa2V1lIqW6abkLvP48GommZxTrkEVRKvAqE3akazenBWqZGfA2X
    LzrG+NY6CDWDYR2r7zqOEBJAvWFZO0N1uOd9lhCY0NU6SrMPV4Hsq2nobrV4kjlC
    hQQmlPEBPESD6mCI8ZeivgLWKHtERND9oy+/0yrJnjWWbC8QeJLmtOw3/P7Gk/rA
    349PN5jUTnfueOZYFYU7yLR8XEbSnrkCDQRYsrBMARAArQRQGeu2vhFAYYwsmL2r
    0yWbdzSRHUc4FgBlLyX7+T+LNvEzQi38eeCjYF49S+zNbmmu4epT4Pv5rWf7HUJh
    VDd+2mHlejHfFk9wujYsJ+cFMdXXwZc8iCrcnyEqfN7fInxmhE79yLfXQ+PSUd2W
    GiWt3p6vTtPej/CSkptr9VlqfqGOpOxOcAfJNusOEDFL3ClFD4JjoTFamV2hSYj8
    w95CnWJdsgfoiN8IbFiNbSEcrLtv0jYrNGa1VbT+h65TdsWZUFhk3JoHlczgSFDY
    QvWT1KqXGPH7RLCuxZ8b76TX4vtbskm56BNN8O3ldPE9Myf6/G3RvoSVYpyHCZFc
    j8bSkbPhb7eUH7YouVpRpuudwzlJipue9HSNzw8/Z3Dx34AlCtlkm3N3oKoLi2XP
    8nMCV8pKWSwrvav5+WdchE/7/dbOU3cBanFnfALfNxWAqcuI22qCedhdNZVUhSud
    GHbq93GFUQ4uL3BzkEtNSlvVejMbTAEZ+TyiWOcg/V8cArfIGRBHRzV2x27Iofu9
    0SZF2BhC9kvnHe6ziBOk1LU2yhhWjQSvOzJHBTfKd7KAM+9vISRttGMWFQx7fdTZ
    j53W4Bf2tAZUttzgB5W43/iCzvpL59QSk6rP9ajaq0eywXv/eq0GFNEt4Vr/Hd6j
    7xvsBt8nk7ewd3peoJUZXtEAEQEAAYkCHwQYAQgAEwUCWLKwXAkQ/pB0KizrkfEC
    GwwAAKiUD/9alGYzrbkoB3oiSFchGkOyeJEgpDESgcMGHysor8LogLeZF4I6fmgF
    Nx/cTRjnMO249f7ttsLRLJP1PeNJNCkrFy6s6D77Qr9ZRVJmxmo/l0fl3rDWR7fx
    PHjmIReFw0m9nTFdnHsP7qYo27sl3EMr+gqts85oa3kuw9XotQTIz5qJg4h0dZr/
    ycVEN7NNIDlM0++wLlXfWjI63Vj7uMutroAvCJPCJOACj9YOGzTpmaHIIuCjHmaO
    4s19KWIdZebzYjutWymy5FbZGRf5+aIlGUTSBlqDJpKu75zhLUR+ife0KxLn62bP
    n5jH8QIPYL2STJ1KmxdGLrk1A8/xvGhDN3j0+WXHBkdVNLYepnjpD5wwRqrTnQB7
    BcdwLSGUW7KglG1Tj+SgWt/EisKGLsfzALcJ88+gVM95YOx4Q/N0KYqNhVZ91/4/
    j6Q0bUWEs5Uvve3RclAFcTu/qp22TGyENZselTU8//TBejfQ6zVRqAmuP36AVmIM
    UrOuZhq0jhgOArCu6I9XgalOMxjRSRtinHVjosALoB937ibK/0U5SZ+UMaoXdpV0
    hu1BBNyX2JGOilguoVa5LTsXs/fJGYEQWVAwFs9Gf6oY2GcrFFhwlAnp7aNEe6R2
    AgiBnBcSd/T71j1tm8/eV9COgcpYrZ6aaOztKf5jEmWL+t8hIpX2Cw==
    =GGFJ
    —–END PGP PUBLIC KEY BLOCK—–