TECHNOLOGY

Bug Bounty Program

The Energy Web Bug Bounty Program exists to incentivize and reward members of the community who identify and help resolve security vulnerabilities in the EW Chain, Utility Layer, EW-DOS toolkits, and auxiliary EW-related tools and infrastructure.

The scope of the program includes all public EW GitHub repositories and hosted applications (Switchboard, EWC Bridge, Key Manager). The primary areas of interest are:

  • Access/Identity vulnerabilities 
  • Logical Errors
  • Exploitation - XSS, CSRF, SQL injection, SSL misconfigurations etc.
  • Smart Contract Errors
  • Cryptography Errors

The following are out of scope and excluded from the Bug Bounty program:

  • DNS, configuration, and hosting of the energyweb.org website
  • Any known vulnerabilities reported on third-party sites (e.g., Hackerone)
  • Any previously-reported vulnerabilities (those listed on this webpage)
  • Any vulnerability found using common open-source scanner tools ( e.g., https://github.com/sullo/nikto or https://github.com/maurosoria/dirsearch)
REPORT A BUG

Individuals or organizations who report and/or resolve bugs are eligible for rewards (EWT and public recognition) as follows:

  • Bugs are categorized at the sole discretion of the Energy Web Technical Committee using a risk assessment matrix based on impact and likelihood. The reward for a given bug is proportional to its severity; rewards are also higher for reporting a bug along with a recommended resolution than for reporting a bug alone.
  • Severity categories are defined as follows:
    • Low = vulnerabilities that may result in reduced functionality for certain users under specific conditions.
    • Moderate = vulnerabilities that will result in reduced functionality for all users under existing conditions.
    • High = vulnerabilities that may result in 1) loss or reduced access to EWT, private keys, or personally-identifiable information for some users under certain conditions, or 2) complete system failure for some users under certain conditions.
    • Critical = vulnerabilities that will result in irrevocable loss of EWT, private keys, or personally-identifiable information and/or complete system failure for all users under existing conditions.
  • To be eligible for the reward, a reporter must meet ALL of the following criteria:
    • Provide a description of the reproducible bug, including a script and/or detailed step-by-step instructions on how to expose the vulnerability, by completing this form. If also providing a resolution, they must include link and/or an invitation to the relevant private GitHub repository and/or related documentation.
    • Be the first person to report the issue (see list of known issues below)
    • Not disclose any details of the bug / vulnerability publicly.
    • Not be a paid auditor or contractor of EWF.
  • Upon receipt of a vulnerability report, the EW team will review the details and respond directly if the vulnerability is deemed to be credible and eligible for the program under the terms above. Due to the volume of reports, not all reports will receive a direct response.

Please contact bugbounty AT energyweb DOT org with any further questions, and thank you for your help strengthening the Energy Web community.

REPORT A BUG

BUG RESOLUTION HISTORY

Date Resolved
Bug Name
Description
User Name
User Twitter
User Github
April 27, 2021
EWC Explorer Database Vulnerability
Source code, configuration files, and database information / credentials (admin key) are exposed in explorer.energyweb.org. An attacker could use this information to disable the explorer site, get cookies of accounts pushed to the server, and create artificial / false transactions in the explorer database (not EWC itself). To resolve, update the database admin keys and remove this information from source code.
@coder10102020
The Energy Web is accelerating a low-carbon, customer-centric electricity system by unleashing the potential of open-source, decentralized, digital technologies.

Latest Tweets

#AskEnergyWeb On 25 October at 18:30 CEST, we'll host another Telegram AMA! The ... Telegram AMA is your opportunity to connect with members of the #EnergyWeb team via our Telegram channel. Come join us on Telegram and ask away #Askenergyweb! http://T.me/energyweb

#AskEnergyWeb On 25 October at 18:30 CEST, we'll host another Telegram AMA! The ... Telegram AMA is your opportunity to connect with members of the #EnergyWeb team via our Telegram channel. Come join us on Telegram and ask away #Askenergyweb! http://T.me/energyweb

Energy Web is excited to mobilize the Student community on our #EWDOS and host ... the Energy track together with @howest University of applied science at the international BLING blockchain Hackathon on 13 and 14 November. We’ll be there as well, register here https://blingathon.eu/howest

Let's keep the momentum going @ClimateWorksAus, decarbonising means we need to ... digitalise, decentralise and distribute so every consumer can make an impact. #EnergyWeb is right behind you
https://www.climateworksaustralia.org/news/australia-can-capitalise-on-state-and-territory-net-zero-momentum-to-keep-the-global-1-5-degree-goal-in-play-report/

If you're building on the @energywebx make sure to check out our name service ... and grab yours today. Human-readable names for machine-readable identifiers to make identity management easier for enterprises and developers accelerating the #energytransition https://twitter.com/energywebx/status/1448648895358062612

Subscribe to our email newsletter today to receive updates.