Bug bounty
Triaged by HackenProof

Polygon POS: Program info

Polygon POS

Company: Polygon Technology
This program is active now
Program info

Polygon Labs develops Ethereum scaling solutions for Polygon protocols. Polygon Labs engages with other ecosystem developers to help make available scalable, affordable, secure and sustainable blockchain infrastructure for Web3.

In scope
TargetTypeSeverityReward
https://github.com/maticnetwork/heimdall/

Polygon POS - Heimdall

Other
Critical
Bounty
https://github.com/maticnetwork/bor/

Polygon POS - Bor

Other
Critical
Bounty
https://static.polygon.technology/network/mainnet/v1/index.json

Polygon POS - Smart Contracts

Smart Contract
Critical
Bounty
https://etherscan.io/address/0x455e53CBB86018Ac2B8092FdCd39d8444aFFC3F6

Polygon 2.0 - POL Token

Smart Contract
Critical
Bounty
https://etherscan.io/address/0xbC9f74b3b14f460a6c47dCdDFd17411cBc7b6c53

Polygon 2.0 - POL Emission Manager

Smart Contract
Critical
Bounty
https://etherscan.io/address/0x29e7DF7b6A1B2b07b731457f499E1696c60E2C4e

Polygon 2.0 - POL Migration

Smart Contract
Critical
Bounty
Target
https://github.com/maticnetwork/heimdall/

Polygon POS - Heimdall

TypeOther
Severity
Critical
RewardBounty
Target
https://github.com/maticnetwork/bor/

Polygon POS - Bor

TypeOther
Severity
Critical
RewardBounty
Target
https://static.polygon.technology/network/mainnet/v1/index.json

Polygon POS - Smart Contracts

TypeSmart Contract
Severity
Critical
RewardBounty
Target
https://etherscan.io/address/0x455e53CBB86018Ac2B8092FdCd39d8444aFFC3F6

Polygon 2.0 - POL Token

TypeSmart Contract
Severity
Critical
RewardBounty
Target
https://etherscan.io/address/0xbC9f74b3b14f460a6c47dCdDFd17411cBc7b6c53

Polygon 2.0 - POL Emission Manager

TypeSmart Contract
Severity
Critical
RewardBounty
Target
https://etherscan.io/address/0x29e7DF7b6A1B2b07b731457f499E1696c60E2C4e

Polygon 2.0 - POL Migration

TypeSmart Contract
Severity
Critical
RewardBounty

Focus Area

For GitHub repositories please ensure you are reviewing the latest published releases, and code is deployed in production

Program Rules

Rewards and Recognition

Severity Clasification

Polygon classifies vulnerabilities using the Common Vulnerability Scoring System (CVSS). In case of discrepancy, final determination is done by Polygon.

Payouts and Payout Requirements

  • Payouts are handled by the Polygon Labs team directly and are denominated in USD. Payouts are done in USDC or MATIC at the Polygon Labs teams' discretion. Polygon Labs commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures.
  • This bug bounty program is only open to individuals who reside outside of the countries that are restricted by OFAC and by UNSC resolutions. If the individual is a US person, tax information may be required in order to properly issue a 1099.
  • Polygon Labs requires an invoice to be received for each payout. An invoice template can be provided by Polygon Labs.

KYC Requirements

  • Polygon Labs does have a Know Your Customer (KYC) requirement for bug bounty payouts.
  • KYC information is only required on confirmation of the validity of a bug report which Polygon Labs determines in its sole discretion.

Out of Scope - General

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist), except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
  • Broken link hijacking is out of scope
  • Loss of funds held by third parties
  • Attacks related to vulnerable, old or deprecated libraries, that are not exploitable

Out of Scope - Smart Contracts and Blockchain/DLT

  • Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
  • Previously known vulnerabilities in Tendermint and or/any other fork of these.
  • Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks

Prohibited Activities

The following activities are prohibited by this bug bounty program. Violation of these rules may result in zero payout.

  • Any testing with mainnet or public testnet deployed code; all testing should be done on private testnets
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

Disclosure Guidelines

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without written consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • All reports should include a runnable Proof of Concept (PoC) in order to prove impact
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • Current employees, vendors (auditors), partners and contractors are not eligible to participate in the bug bounty program;
  • Payouts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production.
  • Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope.
  • For GitHub repositories please ensure you are reviewing the latest published releases
  • ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
Rewards
Range of bounty$1,000 - $1,000,000
Severity
Critical
$50,000 - $1,000,000
High
$20,000
Medium
$5,000
Low
$1,000
Stats
Total rewards0
Bugs found26
Categories
NetworkProtocolSolidity
Types
blockchainsmart contract
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time3d
Reward Time10d
Resolution Time14d