Celebrating Six Years of Post-Quantum Security: The Journey of QRL

Read More

QRL Bug Bounty Programme released by the QRL Foundation, further securing the future of blockchains

In an effort to make QRL’s post-quantum secure blockchain platform even more bulletproof, the QRL Foundation is pleased to establish the QRL Bug Bounty Programme

security release

30th November 2022

The QRL Foundation is pleased release the QRL Bug Bounty Programme, an experimental and discretionary rewards programme for our active community to encourage and reward platform improvements!

Overview

It is in blockchains’ best interests to find and fix vulnerabilities that could be exploited first by malicious attackers. The use of third-party auditors, such as those performed on our codebase by Red4Sec and x41 D-Sec, has been a longstanding component to the longevity of QRL.

Audits will remain a cornerstone of our security arsenal, however, the realism of these exercises in penetration tests and vulnerability assessments through auditors alone can be difficult to fully capture. The QRL Bug bounty programme will build upon third-party audits by rewarding people to be white-hat security researchers, who often possess the same degree of knowledge and approach that hackers may have. On top of the depth of third-party audits, the QRL Bug Bounty Programme offers increased vulnerability detection and realistic threat simulation on a continuous basis.

With our forthcoming Proof-of-Stake and EVM smart contract enhancements (already live in devnet), genuine DeFi apps will be available on a cutting-edge post-quantum secure blockchain network. Developers building on the QRL blockchain platform can take comfort in the fact that they are doing so on the most stress-tested and meticulously maintained blockchain, sending a clear message to stakeholders about the importance we place on security and public safety.

Scope

Any bug that threatens network security, classical client security, protocol soundness, or cryptographic primitive security may be eligible for a reward. Examples include everything from an attack that could disrupt the entire network and harm the validity to the network, to attacks that would disrupt service to others.

At this point, actively developed public GitHub repository code is generally considered in-scope. This includes the core node software, QRLLIB library, the web/desktop wallet and mobile wallet alongside ancillary libraries, services and tools. Pre-release software may be considered in-scope although prior to code audit and release a high or critical grading cannot be applied to bug reports. Excluded from the scope of the bug bounty program includes static websites, our infrastructure (dns, email, etc), and known issues or dependencies flagged by code-scanners.

Testing & reporting

Testing should not violate any law or compromise any data (or funds) that is not yours and must take place on local running testnets (see our documentation on how to set one up). This responsible investigation should be accompanied by responsible disclosure through issuing a security report, which includes initially reporting the bug only to us, and giving us a reasonable amount of time to fix things.

Bounties

All valid findings, even if they’re ineligible for a bounty, are subject to Hall-of-Fame kudos points. Our Hall-of-Fame forms part of the award of additional annual bounty to ethical researchers dedicated to improving our protocol. Please note that it is entirely our discretion to decide whether a bug is significant enough to qualify for a reward.

For more thorough and up to date information, please see our QRL Bug Bounty Programme page.

security release

30th November 2022