Internet Computer Protocol : Program info

Core Internet Computer Protocol stack

The Internet Computer Protocol is a distributed protocol run by multiple nodes that constitutes the Internet Computer blockchain network platform. The protocol documentation and specs can be found here.

In order to get a good overview of the Internet Computer and to get started with it please see here.

Source code:

• The Internet Computer Protocol (ICP)

Network Nervous System (NNS) canisters

All the aspects of Internet Computer behavior are governed by the community of enthusiasts and users of Internet Computer through a democratic governance system called the Network Nervous System (NNS). A high-level introduction to the operation of the system can be obtained from this quick video and this medium post.

• Network Nervous System (NNS)
• Rosetta API

Network Nervous System (NNS) Frontend Dapp

The NNS front-end Dapp is a dapp that provides a user-friendly way to interact with the Internet Computer’s governance system. With it, you can:

• Send/receive ICP
• Stake neurons
• Create canisters
• Top-up canisters with cycles
• View and vote on NNS proposals

Source code & domain:

• Network Nervous System Dapp
• nns.ic0.app

Service Nervous System (SNS)

The SNS feature on the Internet Computer allows the dApps (De-centralized Applications) developers to roll out their own DAO (Decentralized Autonomous Organization). The documents related to SNS can be found here. Another related aspect is the ICRC-1 specification which is the fungible token standard on the Internet Computer platform. The documents for the ICRC-1 token standard can be found here.

Internet Identity: Internet Computer Authentication System

The Internet Identity is an anonymous blockchain authentication framework supported by the Internet Computer. It builds on Web Authentication (WebAuthn) API supported by modern web browsers and operating systems, and the "chain key cryptography" framework that powers the Internet Computer. Here is the quick start guide to Internet Computer and also check out the following video.

Source code & domain:

• Internet Identity
• nns.ic0.app

SDK, CDK, Motoko smart contract language & Dev Tools

The documentation for tools and development kits to assist with development in Internet Computer can be found here. Motoko is the native language of Internet Computer that simplifies the development of smart contract canisters.

Source code & domain:

• The Motoko base library
• Motoko
• DFX
• Rust Canister Development Kit
• DFINITY's JavaScript Agent Repository
• DFINITY's Rust Agent Repository
• Candid
• quill
• icx-proxy

Internet Computer Infrastructure

Boundary Nodes

One of the major component of the Internet Computer infrastructure are the boundary nodes. The boundary nodes sit on the perimeter and act as a gateway into the Internet Computer platform.

• Boundary node
• Icx-proxy
• boundary.ic0.app
• boundary.dfinity.network

Other Infrastructure

In addition to the boundary nodes there are additional infrastructure assets that support the operations of the Internet Computer. Here is the list of the domains:

• ic0.app
• raw.ic0.app
• icp0.io
• raw.icp0.io
• dfinity.network
• dfinity.systems

IN SCOPE

Critical

• The attack is easy to perform at a low cost and has a severe global impact.
• Example. Disclosure of subnet key shares, Compromise of the integrity of the consensus process, for example, insertion of an arbitrary block into the blockchain, RCE in internal networks, memory underflow/overflow issues resulting in theft or illegal minting of exorbitant ( > $1M) amount of ICPs/Cycles*

High

• The attack is relatively straightforward but may have additional constraints that may affect the ease or cost of the attack to a certain degree but still with a significant impact.
• Example. A vulnerability that induces unauthorized access to neurons (access control bypass) but requires a significant amount of work per neuron, memory corruption of canisters resulting in loss of integrity but constrained by a limiting factor such as being exploitable only on canisters with certain pre-existing properties

Medium

• The attack is difficult to perform, requires significant technical know-how and cost or the target may have to satisfy strict requirements in order to make a significant impact. Also, the attack that is simpler to perform but with moderate impact falls under this category.
• Example. Memory corruption resulting in the crashing of replica process, Client-side vulnerability that allows stealing of credentials or keys from the client (ex, browser) by manipulating the user

Low

• The attack that is very difficult to perform or has a minor impact falls under this category.
• Example. A bug resulting in an attacker controlling what is displayed to the user without affecting the server-side data, UI redress, A bug that is not demonstrably exploitable but could be exploitable with more research

OUT OF SCOPE

• All public websites and 3rd party Dapps are out of scope for this bug bounty program. You can report issues but we don’t provide rewards.
• Network-level DoS and DDoS is out of scope. Network-level misconfigurations or application or platform-level DoS issues (especially crashes) may qualify for a bounty depending on DFINITY’s discretion and the attack’s impact. We ask researchers not to perform DoS attacks on mainnet and production deployments. This will disqualify you from the bug bounty program and obtaining bounties. Consider using local setups (e.g. using DFX) to demonstrate crashes, or reach out to us and we can support you to reproduce exploits.

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
• In case that your finding is valid you might be asked for extra KYC verification to proceed with payments

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• Ensure that the potential security bug you are reporting is in scope as specified in the Scope & Targets section below
• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps
• Please treat the report as confidential until the respective teams have a chance to fix the issue. Public disclosure of the vulnerability without abiding by this policy makes it ineligible for rewards
• Do not engage in social engineering techniques or spear-phishing campaigns
• Bugs in third-party code are strictly excluded from the scope.
• Duplicate reports and closely related submissions will be dealt with on a case-by-case basis. If the submissions are determined to be genuine they may be rewarded based on a lower reward scale