FIBOS Security-vulnerabilities and Threat-intelligence Bounty Programme - SlowMist Zone

Table of Contents

Content

Scope of Business

FIBOS mainnet, source code: https://github.com/fibosio

Processing Flow

Reporting Stage

The reporter visits "SlowMist Zone" website and goes to "Submit Bug Bounty" (URL：https://slowmist.io/en/bug-bounty.html) to submit a threat intelligence. (Status: to be review)

Processing Stage

1. Within one working day, the SlowMist Security Team will confirm the threat intelligence report from the "SlowMist Zone", follow up, evaluate the problem, and feed the intelligence back to the FIBOS contact person in the meantime (status: under review).

2. Within three working days, the FIBOS technical team will deal with the problem, draw conclusions and record points (status: confirmed / ignored). They will communicate with the reporter if necessary, and ask the reporter for assistance.

Repairing Stage

1. The FIBOS business department shall repair the security problems in the threat intelligence and update online (status: repaired). The repairing timeframe depends on the problem severity and the repair difficulty. Generally speaking, it is within 24 hours for the critical and high-risk problems, within 3 working days for the medium-risk problems, and within 7 working days for the low-risk problems. The App security issue is limited by the version release, and the repairing timeframe is on a case-by-case basis.

2. The reporter will review whether the security problem has been repaired (Status: reviewed/reviewed with objection).

3. After the reporter confirms that the security problem is repaired, the FIBOS technical team will inform the SlowMist Security Team of the conclusion and the vulnerability score. They will issue rewards with the SlowMist Security Team (status: completed).

Vulnerability Level and Reward Standards

Level	FIBOS Reward	SlowMist Zone Reward*
Critical	100,000 FO	512 SLOWMIST
High	50,000 FO	256 SLOWMIST
Medium	20,000 FO	100 SLOWMIST
Low	5,000 FO	32 SLOWMIST

*Remark: the final award depends on the severity of the vulnerability and the true impact of the vulnerability, the values in the table are the highest rewards for each level. If the FO/EOS price fluctuates significantly, it will be adjusted according to the actual situation.

*SLOWMIST is Ethereum ERC20 Token, the ecological incentive token for the SlowMist Zone.

Critical Vulnerabilities

A critical vulnerability refers to the vulnerability occurs in the core business system (underlying virtual machine, wallet, etc.), it can cause a severe impact.

It is including but not limited to:

Smart contract overflow, conditional competition vulnerability, authority control defect, double spend and consensus layer vulnerability.
Communication layer attacks other nodes with a large area of DDoS at a small cost.
Sandboxie escape causes node command execution or system file reading.
Sandboxie timeout detection mechanism bypasses, causing DDoS local node.

High-risk Vulnerabilities

Invade the server through full-node program to gain control permissions
Unauthorized operation that involves money, payment logic bypassing (need to be successfully utilized)
Excepions smart contract attacks to avoid exhausting node resources
Block replay check, block does not cause replay failure due to any factors

Medium-risk Vulnerabilities

General unauthorized operation. It includes but is not limited to modify user data and perform user operation by bypassing restrictions
Denial-of-service vulnerabilities. It includes but is not limited to the remote denial-of-service vulnerabilities caused by denial-of-service of web applications
The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively

Low-risk Vulnerabilities

Local denial-of-service vulnerabilities. It includes but is not limited to the client local denial-of-service (parsing file formats, crashes generated by network protocols), general application access, etc.
General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc
Email Spoofing / Missing SPF Record.

Vulnerabilities that are not accepted at the moment (even if such a vulnerability is submitted, it will be ignored)

User enumeration vulnerability.
Self-XSS
CSRF issues for non-sensitive operations.
A separate issue about Android app android:allowBackup=”true” , and the service is denied locally, etc. (unless in-depth use).
Some problems such as changing the size of the image and causing slow requests, etc.
Version leak issues such as Nginx/Tomcat, etc.
Some functional bugs that do not pose a security risk issue.

Special thanks to The xianzhi vulnerability classification criteria referred here.