- Proposed: KLAY worth USD 450,000
Security is the most important property of Klaytn and security issues can lead to direct
financial losses as well as service failures. To maintain Klaytn security continuously, Klaytn
needs a long-term security program such as a bug bounty program. The bug bounty
program is a kind of proactive deal offering for White Hat hackers. The participants of the
program report bugs or security flaws and are compensated for their reporting.
The goal of this project is to run a bug bounty program for the security of the Klaytn client.
The Golang source code in the Klaytn GitHub repository is the main scope of the program,
and Ground X will operate a test node for program participants. If a bug is reported and
found positive, Ground X will mitigate the reported issue and send rewards to the reporter
via the bug bounty platform. All positively reported vulnerabilities, mitigations, and reward
history will be posted every two months in the form of a progress report. The project budget
will be used for two purposes: 1) Registration and operation fee on a bug bounty platform 2)
Reward for bug reporters. When the project is finished, the remaining budget will be
refunded to the KIR fund or will be used to maintain the program longer if we get enough
consent from the council.
The most important thing in this project is to run the bounty program fairly and transparently.
For fairness and transparency, we will write progress reports and a final report publicizing
the history of bounties. And, we will also provide a test environment to encourage more
engagement in the bounty program.
- Progress/Final Reports
○ Summary of reported issues: Statistics of all reports and a summary of all
valid bug reports will be included.
○ Status of vulnerabilities and fixes: Status of bugs and source code update
history to fix the bugs will be included.
○ Reward details: All reward distribution history will be written. The attestation
of a bug bounty platform will be included also and we encourage the platform
to make the reward history public on their platform.
- Running a test node for the bounty program
○ A public Klaytn node of the Baobab network will be operated during the
bounty program. Any white hackers can easily test using the public node.