Bug bounty program for ERC-721 smart contracts (v1)

[xpepermint]

The 0xcert team has decided to provide a valid and secure ERC-721 implementation for the Ethereum community. We recognize the need and necessity of a security audit in order to keep all further usage safe and secure. In this light, a bug bounty program is being launched and we would love if the community can help find and disclose security issues and vulnerabilities.

About implementation

ERC-721 is a standard interface for non-fungible tokens on the Ethereum blockchain, invented by Dieter Shirley and written by William Entriken. The 0xcert development team decided to build the fully compatible implementation, which is going to be open-source and available to everyone.

Scope & rules

This bug bounty program will run from 2018-05-16 at 00:01 CET to 2018-07-16 at 23:59 CET. All of the discussions and code in this bug bounty program are publicly available in this repository. Help us find any problems with the ERC-721 implementation and you will be rewarded.

• Be descriptive and detailed when describing your issue.
• Fix it and recommend a way to solve the problem.
• Include a truffle or detailed test case that we can reproduce.
• Issues that have already been published here or are already disclosed to the 0xcert team are not eligible for rewards.
• Social engineering, XKCD#538 attacks, bringing down Ropsten/Metamask/Infura are not in scope and will NOT be paid a reward.
• Only the contracts regarding the ERC-721 are in scope, our website is not in scope.
• GitHub issues is the only way to report issues and request rewards.
• The 0xcert team has a complete and final judgment on the acceptability of issue reports.

Rewards

• We will distribute up to 5 ETH among all participants that reported a unique high severity bug.
• Reports for medium and low bugs will receive our 0xcert t-shirt and an honorable mention.

Severity	Examples
High	Allowing tokens to get lost, stolen, or become unusable.
Medium	An undocumented function, documentation of a user-facing function that does not completely explain what is happening from the user’s perspective (i.e. unspecified side effects).
Low	Any typo that does not affect program functionality. Recommended changes to functionality which are helpful and optimize the code.

Note that if the EIP standard is amended then an issue will be Low severity if it points this out to us. We will support the updated standard.

Additional bounty

We are providing another bounty for a token that builds on top of this implementation called Xcert. If you are interested in participating in that bounty you can check it out here: 0xcert/ethereum-xcert#24

[fulldecent]

Correction: @dete is the visionary and inventor of ERC-721; I am merely the lead author of the current text of the standard.

[xpepermint]

#51 (low)

[xpepermint]

a03db28#commitcomment-29251894 (low)

[xpepermint]

Extending bounty till 2018-07-16.

[xpepermint]

#87 (low)

[MoMannn]

#91 (low)

[MoMannn]

#97 (low)

[xpepermint]

#100 (medium)

[xpepermint]

#102 (low)

[xpepermint]

#106 (high)

[xpepermint]

It's time!

[xpepermint]

The Bug Bounty program is closed. Thank you to all contributors who participated in the bounty and helped us find the issues with our ERC-721 smart contracts.

8 proposals had been issued by 5 contributors:

• @mg6maciej,
• @mudgen,
• @dafky2000,
• @matbest,
• @coburncoburn.

To collect the rewards, please reach out to the Admin of our Telegram group or write us at [email protected] for further details.