Attention all you intrepid bug bounty hunters out there! Strap on your vulnerability scanners and fire up your fuzzing tools. The Stellar Development Foundation (SDF) team has partnered with HackerOne to launch a new bug bounty program focused on Soroban, the Stellar network’s native smart contract platform. Soroban is still in an early stage of development and is not yet live on Mainnet, making now a critical time to find bothersome bugs and collect bounties. As Boba Fett traversed the galaxy for the Millenium Falcon, we ask you to span the Sorobanverse for code vulnerabilities.
The new program differs from the current Stellar network’s bug bounty in that it is focused solely on Soroban-related systems and hopes to attract advanced hackers with higher reward opportunities.
Let’s dig into some program details.
Soroban is a smart contracts platform written in Rust that is being built to integrate with and function alongside the Stellar blockchain. It is currently in its eighth preview release on the shared test network called Futurenet, with plans to launch on Mainnet later this year. Soroban is in a pivotal stage of development, with code freeze only a couple of months away. Now is an ideal time to find vulnerabilities, even if they’re breaking changes, as it’s easier to patch and modify the code before things get locked down.
Hackers are welcome to dig into the Rust SDK, contract environment, CLI and RPC server, stellar-core Rust bridge, and other targets in their search for bugs and security flaws. Out-of-scope vulnerabilities are brute-force attacks against Stellar’s public instances (such as Horizon and RPC), DoS and DDoS attacks, remote code execution in the Stellar DEX (although this can be reported in the current Stellar bug bounty program), and more. Check out the HackerOne page for a comprehensive list of in-scope targets and additional information on accepted submissions.
And remember that Soroban is a smart contracts platform. Although smart contract developers (and anyone else) can partake in the bug bounty, hackers with more advanced experience in browser sandbox escape, low-level code such as WebAssembly (what Soroban contracts compile into), and an understanding of memory management, code instrumentation, symbolic execution, will probably have the most success.
The reward amount for each bounty is determined using a combination of the OWASP Risk Rating Methodology and submission quality. The OWASP method provides guidelines for judging a bug’s severity, taking into account its likelihood, impact, and reproducibility. Evaluating these factors ensures the reward amounts correspond to the potential risks posed by the identified vulnerabilities. Simultaneously, a submission’s quality is measured by detailed descriptions of your discovery with clear, concise, reproducible steps or a working proof-of-concept.
Rewards will start by being topped out at $50k worth of USD for the most critical vulnerabilities. As Soroban matures and Mainnet launch approaches, the bugs will become more complex, which may cause bounties to grow to match that complexity.
Hackers will receive a reward for a bug only if they are the first to report it. Given the public nature of blockchains, it is possible that someone else may come across the same bug and report it before you do. So, be sure to be diligent and swift in reporting vulnerabilities!
Bug bounty hackers play a crucial role in building safer and more secure systems for everyone, something that’s vital to a platform’s success. So dive in, share your findings, and help contribute to Soroban’s continued development. Keep an eye on the HackerOne page for important dates, updated reward information, and details on how to submit vulnerabilities.
Although the new bug bounty is focused solely on Soroban for now, we’d love to eventually expand the scope to other open-source systems like Horizon and Stellar Core. We’ll be sure to keep you up to date on all things bug bounties as the program continues to evolve.