REX (XRX) Bug Bounty Program
The rex.io project invites everyone to take part in the REX Bug Bounty program, to find bugs in the REX Smart Contracts.
Hall of Thanks
We would like to thank the following people for their support in making our products more secure:
[no entries yet]
How to disclose
Step 1. Write a report and include the following information
- Code or proof of concept so that we can reproduce the vulnerability.
- Description of the vulnerability.
- Your name/handle: In order for us to give you proper recognition if you wish.
Step 2. Send your report to bugbounty@rex-token.com
After your submission, we will follow up with you as part of the review process. Once we have determined that you have found a security bug, we will give you recognition for your work as part of our “Hall of Thanks” (if you desire) and allow you to claim your bounty reward.
Note:
- REX does not reward bug bounties for vulnerabilities found in third party services. Please report these issues directly to the relevant service.
- REX typically does not reward bug bounties for software that is in testnet status (testnet.rex.io) or software that is not covered in the current REX paper (rex.io/paper). However, please still submit any vulnerabilities you find. We may consider paying out a reward regardless.
Please read the “Bug Bounty Policy” below for full requirements on how to be eligible for the bug bounty program.
Security announcements
We encourage you to follow https://rextoken.medium.com/ to stay up to date with the latest security news from REX.
Bug bounty policy
Updated 21 Sept 2022
REX strives towards excellence when it comes to the security and privacy of our products and believes that an open architecture is vital to keep users safe. However, even in time-proven security architectures, vulnerabilities can be found. This is why our code is open source. In the case you find a vulnerability, we would like to ask you to follow our bug bounty program for responsible disclosure. Find all deployed and active REX Smart Contracts in our current REX PAPER at rex.io/paper.
Hall of thanks
We are thankful to the researchers who work with us to help keep users safe. We wish to acknowledge those who have contacted us and coordinated the release of their research. At their discretion, contributions are attributed on our Hall of Thanks on top of this article. We also understand that anonymity may be an important concern to the researcher and are prepared to protect their identity.
Preamble
Respect and appreciation of the effort, time and skills of independent security researchers is important to REX. We enable researchers in their work to help us equip users with safe products by establishing responsible disclosure guidelines and a Bug Bounty program. We understand that researchers are free to choose their work’s focus as well as when and to whom they disclose their findings. When a vulnerability is found, we recommend you follow our guidelines below.
- Information that significantly helps improving the security of our Smart Contracts will be rewarded. This information must relate to the published and verified REX (XRX) Smart Contracts that we maintain and make available on the blockchain, usable through the rex.io website and mentioned in the rex.io/paper.
- Keep lines of communication open: Additional information is needed and we want to ensure that we give your research proper attribution.
- Do not actively exploit or commit a Denial of Service against us or other user’s wallets and nodes where the software connects, at any time.
- If applicable, the bounty will be granted after the Incident Response is successfully completed and the relevant software fixes have been released.
- Issues that have been publicly reported or were known by REX prior to your disclosure are not applicable for the bug bounty program.
- Website vulnerabilities are not part of the bug bounty program.
- We do not reward bug bounties for vulnerabilities found in third party services. Please report these issues directly to the relevant service.
- REX typically does not reward bug bounties for software that is in testnet status (testnet.rex.io) or software that is not covered in the current REX paper (rex.io/paper). However, please still submit any vulnerabilities you find. We may consider paying out a reward regardless.
Security response team
The security team may be reached at security@rex-token.com for reports and discussion about potential issues.
Incident response
- Submit your report to bugbounty@rex-token.com.
- We will respond within 3 business days and then make inquiries to satisfy any needed information. Confirm receipt of your contact and triage the reported issues. Follow up with the results of our validation process.
- For vulnerabilities or important observations that impact our users, we’ll layout a timeline regarding mitigation and suggestions for coordinated disclosure with you. We will report on progress made and contact you if more time is required.
Post-release disclosure process
- At your discretion, we will credit you on our Hall of Thanks (see above) and in relevant software release notes.
- Rewards are based on the severity of the bug and at a level that we feel is reasonable.
- If the Incident Response process in section IV is not successfully completed and consensus on a timely disclosure not met, we encourage you to publish your results without us.
