Bug Bounty

Recognizing the importance of rigorous security measures in the world of blockchain, Trush has established a Bug Bounty Program. This initiative calls upon our developer community to examine our codebase, discover any security vulnerabilities within our protocol design, implementation, services, network, or infrastructure, and responsibly report them to us. We offer rewards for these discovered bugs, incentivizing the continuous improvement of our system.

The Trush Bug Bounty Program is based on the following principles:

Scope of Eligibility: Generally, any bug that introduces a significant vulnerability is eligible for a reward. This includes, but is not limited to, issues that affect the robustness of our protocols, network security, client security, or the security of cryptographic primitives. It's essential to note that the decision about whether a bug qualifies for a reward lies entirely within our discretion.

Quality of Submission: We value quality in bug reports. A high-quality submission would contain detailed explanations on how to reproduce the bug, how it was discovered, and any other critical information that could help us understand and fix the issue. The level of detail and quality in your submission will be a significant factor when considering the reward.

Responsible Disclosure: Upon discovering a potential security issue, you must report it directly to us via an encrypted PGP Public Key message sent to security@trush.foundation. Do not disclose the bug to anyone else, as third-party disclosure will result in disqualification from the bounty program.

When reporting a bug, we encourage you to include:

1. Description of the issue

2. The potential security impact of the issue

3. The affected resource, e.g., URL, GitHub code snippet, transaction

4. A proof-of-concept, if possible, that demonstrates the issue

Our Process: After receiving your report, we will evaluate the issue and reach out to you for additional information or provide an initial assessment. Based on our determination of the bug's novelty and potential severity, we may reward you for your valuable contribution to the Trush ecosystem.

Examples of Eligible Threats:

1. Critical Threat: An attack that could disrupt the entire network and compromise the network's integrity.

2. High Threat: An attack that could disrupt service to others.

Responsible Investigation and Reporting:

1. Respect the privacy of other users, and do not destroy data during your investigation.

2. Do not cause harm to the Trush network or its users during your research.

3. Do not target our physical security measures or use social engineering, spam, DDoS attacks, etc.

4. Provide us with a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before such disclosure.

In summary, your investigation and reporting of potential bugs should be conducted in a way that demonstrates a good faith effort not to be disruptive or harmful to our users or us. Always ensure your actions are viewed as a helpful contribution rather than a disruptive attack.