Scope & Policy

Author: EDX ChainPublish Time: Feb 13, 2024

About

edeXa Chain is the best Ecosystem of Blockchains for Businesses with massive user bases, dedicated to delivering its core infrastructure necessary for future Private and public adoption https://edexa.network

 

 

Policy

edeXa Chain is committed to the safety and security of the Blockchain Ecosystem. To help us achieve this goal, we have implemented the edeXa Chain Bug Bounty Program encouraging security researchers and enthusiasts to identify vulnerabilities that directly affects edeXa Chain and report them to us. In return for their valuable contributions, we offer rewards based on the severity and impact of the reported issues ("edeXa Chain Bug Bounty Program").

 

 

 

Below are the guidelines and conditions for edeXa Chain Bug Bounty Program:

 

 

1. Scope of the Program

 

For security issues related to edeXa Chain and their components ONLY:

If you have found a security issue that directly affects edeXa Chain and/or its components (e.g. blockchain, node, wallet, domains, websites), please ensure that you report it directly to the program.

 

Non-security related issues:

To report an issue without security impact, please join the edeXa Chain community at Discord channel and share your issues there. We appreciate all efforts in helping to keep the edeXa Chain safe.

 

We will evaluate reported security issues based on the security impact on our users and the edeXa Chain ecosystem. Please take a moment to read the rules of the edeXa Chain Bug Bounty Program, as well as the eligibility of vulnerabilities and rewards as set forth herein. 

 

1.1. Bounty-Scope

 

edeXa Blockchain  

 

Type

Link

Website

edexa.network    

Website

edexa.com    

Website

edexa.io    

 

 

edeXa Blockchain Components

 

Type

Link

Client Implementation

edeXa-Blockchain Github

edeXa explorer

edeXa explorer     

 

 

edeXa smart Contract

 

Type

Link

'EDX' Token Contract

'EDX' Token Contract

edeXa NFT Engine Smart Contract

edeXa NFT Engine Smart Contract    

bStamp Smart Contract

bStamp Smart Contract   

 

 

edeXa Public Blockchain Developer Links

 

Type

Link

edeXa Github Repo

https://github.com/devEdexa/edexa.js

edeXa Products SDK

https://github.com/devEdexa/edexa-sdk

 

 

edeXa Blockchain Documentation

 

Type

Link

edeXa blockchain Documentation

https://developer.edexa.network 

 

1.2. Out of Scope

Only the targets listed above shall be deemed as part of the edeXa Chain Bug Bounty Program ("Bounty-Scope"). The following items are not part of the Bounty-Scope. 

  • our infrastructure; such as webpages, dns, email etc, 

  • Social engineering tactics (such as phishing or vishing)

  • Physical security breaches

  • Issues in third-party systems, services, or applications outside our domain.

  • Denial of service attacks

  • Vulnerabilities solely affecting outdated or unpatched devices/browsers

 

 

 

2. Reporting Guidelines

 

2.1.

Security researchers should submit their reports to the Bounty Page available at  https://edexa.network/edx_bounty_program. The report should include a detailed description of the vulnerability, steps to reproduce the issue, potential environment, proof of concept, and any relevant screenshots, log files, or other evidence. We encourage researchers to submit their findings as soon as possible to minimize the risk of duplicate reports. 

 

2.2.

The Participants agree with the following:

a) Submitted reports include a clear, concise, and reproducible description of the identified vulnerability, along with detailed steps to reproduce the issue and supporting evidence such as screenshots or logs.

b) If the vulnerability has already been reported by another participant, the submitted report will be marked as a duplicate and will not be eligible for a reward.

c) edeXa Chain Foundation reserves the right to determine the validity and severity of a reported vulnerability at its sole discretion. edeXa Chain Foundation also reserves the right to reject any report that does not meet edeXa Chain Foundation's guidelines or criteria.

d) Participants shall not disclose any information about the identified vulnerability to any third party without edeXa Chain Foundation's prior written consent.

e) Participants must give edeXa Chain Foundation a reasonable amount of time to address and rectify the identified vulnerability before any public disclosure.

f) Participants must not engage in any malicious activities that could result in damage to edeXa Chain Foundation's systems, loss of data, or any other negative impact.

g) Reports should be written in English.

 

2.3.

To ensure eligibility in the edeXa Chain Bug Bounty Program, participants must adhere to the following template: 

1. Chain: Specify the targeted chain (e.g., edeXa Beacon Chain, BSC, opedeXa, or Greenfield).

2. Attack Scenario: Provide a detailed description of the attack or bug scenario, along with the unexpected or problematic behavior observed.

3. Impact: Explain the potential effects of this issue in a live production setting.

4. Components: Identify the affected files, functions, and/or specific line numbers where the bug appears.

5. Reproduction Steps: If you used any tools or simulations to discover the bug, thoroughly describe the method to recreate the problematic behavior.

6. Suggested Fix: If applicable, include a description of a possible solution for the issue.

7. Additional Details: Provide any other relevant information not covered in the sections above.

 

 

 

3. Reward

 

edeXa will distribute the rewards after the evaluation and verification process is complete. The distribution method and timeframe will be communicated to the participants. Participants must provide accurate and valid wallet addresses or other information required for reward distribution.

 

 

 

3.2. Hall of Fame Recognition

Participants who have demonstrated exceptional skills and contributed significantly to the improvement of edeXa Chain`s security will be acknowledged through the following means:

 

a. Public Recognition: The names (or aliases, if preferred) of top contributors will be displayed on our Bug Bounty Hall of Fame webpage, honoring and thanking them for their valuable contributions.

 

b. Digital Certificate: edeXa Chain Foundation will issue a digital certificate of recognition, highlighting the participants' achievements in the edeXa Chain Bug Bounty Program.

 

c. Exclusive Access: Hall of Fame members may be granted exclusive, limited-time access to upcoming features, enabling them to showcase their expertise in assessing vulnerabilities before public release.

 

To maintain high standards and credibility, edeXa Chain Foundation reserves the right to determine the eligibility of participants for the Hall of Fame. Factors that may be taken into consideration include the vulnerability's criticality, the participant's contribution history, and adherence to responsible disclosure guidelines.

 

edeXa Chain Foundation retains the right to remove any participant from the Hall of Fame for reasons including, but not limited to, unethical behavior, violation of edeXa Chain Bug Bounty Program rules, or any other actions that may compromise the integrity of the recognition.

 

 

 

4. Eligibility

 

a. Age Requirements: To participate in the edeXa Chain Bug Bounty Program, you must be at least 18 years old.

 

b. Employee Participation: edeXa Chain Foundation employees, affiliates, their immediate family members, and contractors are welcome to join the program. However, monetary rewards will not be granted to these participants.

 

c. Country Restrictions: To be eligible for the program, you must not live in or hold citizenship from a country subject to embargoes, sanctions, or conflicts with the edeXa Chain Foundation's jurisdiction.

 

d. Tax Obligations: As a participant, you are responsible for any tax implications based on your country of residence and citizenship.

 

e. Local Law Compliance: Additional restrictions on your ability to participate may be imposed by your local law. It is your responsibility to ensure compliance.

 

f. Program Nature: This is not a competition; rather, it is an experimental, discretionary rewards program. The edeXa Chain Foundation reserves the right to cancel the program or decide whether to award a reward at any time and entirely at its discretion.

 

 

 

5. Vulnerability Classifications

 

5.1. Vulnerability Classifications on edeXa Beacon Chain and edeXa Smart Chain

 

P0:

  • Validator selection set manipulation

  • Merkle proof validation vulnerabilities

  • Remote leaks of unencrypted private keys / mnemonic / key seed

P1:

  • Vulnerabilities that could undermine the safety of any user or validator's fund/fee

  • Vulnerabilities that could severely undermine trading or token economy

  • Remote Code Execution on any edeXa Beacon Chain/edeXa Smart Chain node, such as Validator nodes, Witness nodes, or Seed nodes

  • Vulnerabilities related to key generation, encryption, decryption, signing and verification

  • Vulnerabilities that could disrupt the edeXa Beacon Chain governance

  • Transaction origin spoofing or transaction malleability

  • Any issues causing irreparable consensus splits from the rest of the network

P2:

  • Denial of service of any edeXa Beacon Chain validator node

  • Vulnerabilities that could undermine or disrupt trading or token economy

  • Vulnerabilities that could disrupt the Validator consensus result and performance

  • Vulnerabilities that could cause the Accelerated Node to be unable to respond with user queries on orders, transactions, balances, market depth

  • Access of disabled channels for cross-chain communication

  • Denial of service of cross-chain communication

P3:

  • Denial of service of the edeXa Beacon Chain & edeXa Smart Chain Explorer

  • Denial of service of seed and/or data seed nodes.

  • Denial of service for BSC Relayers / Oracle Relayers

P4:

  • Vulnerabilities that could affect the stability or availability of edeXa Beacon Chain/ edeXa Smart Chain / Explorer

  • Denial of service of non-critical functions

 

 

 

6. General Provisions

 

6.1.

Participants acknowledge that their participation in the edeXa Chain Bug Bounty Program is voluntary and at their own risk. edeXa Chain is not responsible for any loss, damage, or liability arising from participation in the program. edeXa Chain Bug Bounty Program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the edeXa Chain Foundation bug bounty panel.

 

6.2.

edeXa Chain Foundation reserves the right to amend, modify, or update the edeXa Chain Bug Bounty Policy at any time, without prior notice. Participants are advised to periodically review the policy for any changes. Continued participation in the edeXa Chain Bug Bounty Program after any such changes shall constitute acceptance of the updated policy. edeXa Chain Foundation reserves the right to terminate the edeXa Chain Bug Bounty Program at any time without prior notice and shall not be liable for any unfulfilled rewards or incomplete tasks. 

 

6.3.

By participating in the edeXa Chain Bug Bounty Program, researchers agree to comply with all applicable laws and regulations while conducting their research. Unauthorized disclosure of vulnerabilities outside the scope of the program or before an official fix is released by edeXa Chain Foundation may result in disqualification from the program and potential legal action.

 

6.4.

By participating in the edeXa Chain Bug Bounty Program, the participants agree to be bound by these clauses and any additional terms and conditions set forth by edeXa Chain Foundation.

 

6.5.

This edeXa Chain Bug Bounty Program and any disputes arising out of or relating to it shall be governed by, and construed in accordance with, the laws of Singapore, without giving effect to its conflict of law principles.

 

6.6.

All disputes arising out of, or in connection with, this edeXa Chain Bug Bounty shall be resolved in the following manner:

 

a) Amicable Resolution: The parties shall attempt, in good faith, to negotiate and resolve any disputes or disagreements that may arise by engaging in discussions and consultations for a minimum period of thirty (30) days from the date a written notice is received by either party.

 

b) All disputes, controversies or claims between the Parties arising out of or in connection with this Agreement (including its existence, validity or termination) shall be finally resolved by arbitration to be held in Singapore, and conducted in English under the Rules of Arbitration of the Singapore International Arbitration Centre; provided, however, that each Party may enforce its or its Affiliates’ intellectual property rights in any court of competent jurisdiction, including but not limited to equitable relief. The arbitral award shall be final and binding on the Parties. Except to the extent of entry of judgment and any subsequent enforcement may require disclosure, all matters relating to the arbitration, including the award, shall be held in confidence.

 

6.7.

The failure of edeXa Chain Foundation to exercise or enforce any right or provision of this policy at any given time shall not constitute a waiver of such right or provision, nor does it prevent edeXa Chain Foundation from exercising its rights in the future.

 

6.8.

If any provision of this edeXa Chain Bug Bounty Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect.

 

6.9.

This edeXa Chain Bug Bounty Policy, along with any additional terms and conditions referenced herein, constitutes the entire agreement between the parties concerning the subject matter hereof and supersedes all prior understandings, agreements, and communications, whether oral or written, relating to the subject matter.

 

6.10.

edeXa Chain Foundation may assign its rights and obligations under this edeXa Chain Bug Bounty Policy, in whole or in part, to any affiliate or successor entity without notice to, or consent from, the participants.

 

6.11.

Nothing in this edeXa Chain Bug Bounty Policy is intended to confer any rights or remedies on any persons other than the parties and their respective successors and permitted assigns.

 

6.12.

By participating in this edeXa Chain Bug Bounty Program, the participants agree to adhere to and be bound by this Policy and any additional terms and conditions set forth by edeXa Chain Foundation.