RenVM Bugs and Exploit Reporting

Encountered a bug while using RenBridge or WBTC.Cafe?

If you a user of one of Ren's products and encountered a bug, please do fill out the below form with as much detail as possible (TX details, Screenshots, etc) and we'll get you all taken care of!

RenVM Bug Bounty and Exploit Reporting

At Ren, the security of RenVM is our number one priority. As such, we strive to provide the most secure platform possible. We will evaluate reported security issues based on the security impact to our users and the RenVM ecosystem. This bounty brief describes the rules of the Ren bug bounty program, as well as the eligibility of vulnerabilities and the rewards. In Scope Core RenVM Infrastructure: https://github.com/renproject *Additional Submission Reqs 1) Must not have been previously reported. 2) Must not have broken the law in any jurisdictions. 3) Must disclose how the issue was found. 4) Must provide a proof of concept and demonstration of the exploit. Out of Scope Renproject.io, RenBridge, WBTC.Cafe, Command Center, VPS providers, and ancillary services which do not impact RenVM’s core functionality and safety. The bug or exploit must fall within the team’s work, any vulnerabilities with 3rd party services that RenVM utilizes or theoretical vulnerabilities without actual proof of concept will not be applicable.

Rewards & Ratings This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards. Ren may award an additional reward bonus for exceptional reports but this will be done at Ren’s discretion.

Ren is eager to work with the community to make sure that every researcher's finding is rewarded fairly - based on the vulnerability's impact on business and overall severity. To this end, it is possible that extraordinarily severe issues or those with extreme impact may be rewarded up to $1,000,000.

Reward Range | Last updated November 1st, 2020.

Technical severity

Reward range

P1 Critical

$5,000 - $100,000

P2 Severe

$1,500 - $5,000

P3 Moderate

$600 - $1,500

P4 Low

$200 - $600

RenVM Vulnerability Classifications

P1 Examples:

  • Vulnerabilities that directly undermine the safety of assets locked within RenVM.

P2 Examples:

  • Smart contract exploit that allows funds to be drained.

  • Exploit that allows an attacker to control someone else’s Darknode.

P3 Examples:

  • Denial of service attack that prevents Darknode MPC signatures.

  • Economic exploits that cause Darknodes to behave in an unintended way.

P4 Examples:

  • Vulnerabilities that could affect the stability of RenVM.

Ineligible issues (Will be closed as out of scope):

  • Theoretical vulnerabilities without actual proof of concept.

  • Vulnerabilities with 3rd party services that RenVM utilizes.

Submission Instructions

1) Message the Ren team with the subject: “RenVM Exploit Submission” along with technical severity rating (P1-P4). 2) The message will have to provide the proof of concept and demonstration of the exploit. 3) The Ren team will respond with next steps.

If the issue is critical (P1) and demands immediate attention, please reach out directly here. With messaging that indicates: "Severe RenVM Exploit"

Rewards will be paid out in $REN Once your submission is accepted and categorized (P1-P4), please provide the following in the email.

  • ETH wallet address

*Prices will change with the cryptocurrency markets and the USD amount listed above could change.

Thank you in advance for your efforts in helping keep RenVM safe!