We’re calling upon all developers to take part in our recently launched Bug Bounty Program, hosted on HackerOne, to find vulnerabilities in our codebase and help us to ensure the utmost security and robustness of our network.
You can find our HackerOne page below:
Whether you’re a hacker, attacker, security researcher or engineer, put your skills to use finding vulnerabilities, security issues, or bugs in our codebase and earn up to $5,000 per reported issue.
We’ve explained the program rules, terms and details on our HackerOne Bug Bounty page, but you will also find an introduction to the program below.
- If you are new to blockchains and/or to Matic, take a look at the Matic overview – https://docs.matic.network/docs/home/architecture/matic-architecture
- Explore the code on GitHub. There are 3 main repositories for you to study:
Heimdall – https://github.com/maticnetwork/heimdall
Bor – https://github.com/maticnetwork/bor
Contracts – https://github.com/maticnetwork/contracts
- Set up a test network locally with these instructions: Running a node on the local environment: https://github.com/maticnetwork/matic-cli
The Matic CLI repo is an easy way to setup and manage Matic validator nodes in a local environment. This will help in simulating tests and attacks locally.
If you want to run a node on the Counter Stake – Stage 2 staking testnet, you follow the instructions via these links:
- Overview: https://docs.matic.network/docs/validate/counter-stake-stage-2/getting-started
- Linux package: https://docs.matic.network/docs/validate/counter-stake-stage-2/linux-package-installation
- Binaries: https://docs.matic.network/docs/validate/counter-stake-stage-2/running-with-binaries
Getting Tokens for Counter Stake – Stage 2 Testing
- To get tokens you can access our faucet here: https://faucet.matic.network/ and choose the Goerli network. Or you can drop an email with your ETH address to delroy(@)matic.network
You’re now set up to start looking for vulnerabilities!
Rewards & Attack Examples
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of the Matic Network team.
Below are some indicative examples of valid attacks that could be carried out on Matic Network:
The repositories of the three major components of our mainnet are within the scope of this program, including:
- Heimdall – This GitHub repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, Block Producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.
- Bor – The Bor node, or the Block Producer implementation, is basically the sidechain operator. The sidechain VM is EVM-compatible.
- Contracts – This repository contains the smart contracts that power Matic Network
More information regarding out of scope repositories and vulnerabilities can be found on our HackerOne Bug Bounty page.
Let’s Get Hacking!
At Matic, we’re building infrastructure to enable Ethereum DApps to be able to reach mass adoption levels of users. Become part of this journey, help us to ensure a secure and robust network for our growing ecosystem of DApps and network users, and be rewarded in the process. What could be better?
If you have any questions, comments, or would like to discuss anything relating to the program, leave a post on our Dev Forum or join us at the Matic Dev Forum Discord channel:
Head to HackerOne and start testing. Thank you for helping to keep Matic Network and our users safe!
Happy hacking 🙂
– Matic Network team