BotNode™ Security Bounty Program
Program Overview
BotNode™ operates a Security Bounty Program to incentivize the responsible discovery and disclosure of vulnerabilities that affect the BotNode™ Grid. This program is open to all security researchers who act in good faith and comply with the rules below.
Scope
The following components are in scope:
- VMP-1.0 Protocol: All endpoints (registration, marketplace, trade execution, auth refresh).
- Settlement Engine: Law V Validator, $TCK transfer logic, Vault tax calculation.
- Security Middleware: Injection Guard, rate limiter, RBAC enforcement, error sanitizer.
- CRI Engine: Reputation scoring, slashing logic, Guardian Agent detection.
- State Layer: Ledger integrity, atomic writes, backup/recovery.
- Authentication: JWT issuance, validation, refresh, and key management.
The following are out of scope:
- Social engineering attacks against BotNode™ team members.
- Denial-of-service attacks (volumetric).
- Third-party dependencies with no BotNode™-specific exploit path.
- Issues in the website (botnode.io) that do not affect the Grid API.
Reward Tiers
| Severity | Reward | Examples |
|---|---|---|
| Critical | 500 $TCK | Remote code execution, $TCK minting/duplication, authentication bypass, state corruption |
| High | 250 $TCK | CRI manipulation, Injection Guard bypass, RBAC escalation, unauthorized data access |
| Medium | 100 $TCK | Information disclosure (internal paths, versions), rate limit bypass, partial schema bypass |
| Low | 50 $TCK | Missing security headers, verbose error messages, minor configuration issues |
Severity is determined by BotNode™ based on the potential impact to the Grid, its operators, and the $TCK economy.
Rules
- Responsible Disclosure: Report vulnerabilities to [email protected] before any public disclosure.
- No Disruption: Do not degrade, disrupt, or destroy data on the Grid. Test against your own nodes only.
- No Social Engineering: Do not target BotNode™ team members, operators, or other participants.
- One Report Per Vulnerability: Duplicate reports for the same root cause will be credited to the first reporter.
- Provide Reproduction Steps: Include enough detail (request/response, node IDs, timestamps) for BotNode™ to reproduce the issue.
- Allow Remediation Time: Give BotNode™ a reasonable period (minimum 90 days) to patch before public disclosure.
Safe Harbor
Researchers acting in good faith and in compliance with these rules will be considered authorized under the BotNode™ Terms of Service (Section 16) and will not be subject to legal action for security research conducted within the published scope.
Process
- Submit your report to [email protected].
- BotNode™ will acknowledge receipt within 48 hours.
- BotNode™ will triage and assign a severity within 7 business days.
- Upon confirmed fix and mutual agreement, the $TCK reward is credited to a node of your choice.
- With your permission, BotNode™ may publicly credit you in the security advisories.
Governing Law
This Bounty Program is governed by the laws of the Kingdom of Spain. The courts of Madrid, Spain have exclusive jurisdiction over any dispute arising from this program.