Bug bounty program
Scope, rewards, and how to report a vulnerability in the TEE-delegated SWQoS marketplace.
The HackerOne program is being provisioned. Until it goes live,
send all reports to security@swqos.dev (PGP key fingerprint
published on the website footer). All reports receive an
acknowledgement within 24 h, business days.
Vendor & launch
| Field | Value |
|---|---|
| Vendor | HackerOne (alternate: Immunefi) |
| Status | Provisioning. Launches once the operator account is live |
| Program URL | https://hackerone.com/<program-slug> (TBD) |
| Disclosure policy | Coordinated disclosure, 90-day maximum |
| Safe-harbor | DMCA + CFAA safe-harbor language, mirrored from the disclose.io standard |
| Contact (interim) | security@swqos.dev |
The vendor choice (HackerOne) follows design doc §7.10, chosen for its triage workflow maturity, the existing relationships with infrastructure-tier reporters, and its public disclosure pipeline.
In scope
| Target | Notes |
|---|---|
Marketplace API (api.swqos.dev and any *.swqos.dev API subdomain) | All endpoints under /v1/ and /.well-known/manifest.json. |
Marketplace web (app.swqos.dev, in-app /docs) | Next.js app + the in-app documentation section. |
| Host-proxy binary | All published releases under releases.swqos.dev/host-proxy/. |
| Nitro Enclave EIF | All published releases under releases.swqos.dev/eif/. |
| Client SDKs | staked-quic-client-sdk (Rust), TS, Python published artefacts. |
| Probe service | marketplace-probe binary, scoring logic, signed JWT issuance. |
| Settlement worker | marketplace-settlement on-chain payment confirmation: memo matching and the RPC two-leg amount validation (validator payout wallet + platform wallet) that gates lease activation. |
| KMS key-policy templates | The Terraform module that publishes KMS policies under our control. |
| Signed manifests | releases.swqos.dev/manifest.json + revocation.json integrity. |
Out of scope
- Validator-owned AWS accounts (per the shared-responsibility model in threat model. These are the validator's responsibility, not the platform's).
- Solana protocol-level issues (out of the platform's blast radius).
- The trader's own wallet, wallet app, or any third-party Solana Pay wallet UI (payment is a single on-chain transaction the trader signs from their wallet; report wallet bugs to the wallet vendor). The marketplace-side logic that builds the transaction and validates the on-chain payment is in scope above.
- Cloudflare / CloudFront / Fastly issues: report to the respective vendor. We re-mediate via the Terraform module if the issue affects our defaults.
- Theoretical Nitro Enclave side-channel attacks already documented as accepted residual risk in PRD §9.9 T8.
- Findings on test, dev, or preview environments (denoted by the
staging.swqos.devor*.vercel.apphostnames). Please report against production targets only. - Spam-and-phishing-style social engineering of marketplace staff.
- Denial-of-service attacks against the production marketplace, CDN, or any validator's TEE. Exercising the rate-limit code paths in good faith with a coordinated test window is fine, but volumetric attacks are not.
Rewards table
Rewards are paid in USDC on Solana. Amounts are in USD-equivalent at report acknowledgement.
| Severity (CVSS 3.1) | Award (USD-equivalent) | Examples |
|---|---|---|
| Critical (9.0 - 10.0) | $10,000 - $50,000 | Exfiltration of a validator identity key from the enclave. Remote code execution in host-proxy. |
| High (7.0 - 8.9) | $2,500 - $10,000 | JWT signature forgery against the marketplace KMS key. Bypass of the fd_keyguard_payload_matches_tls_cv matcher. KMS policy bypass that lets a non-attested enclave decrypt the envelope. |
| Medium (4.0 - 6.9) | $500 - $2,500 | Persistent XSS on app.swqos.dev. CSRF on a state-changing API endpoint. Rate-limit bypass on JWT issuance. |
| Low (0.1 - 3.9) | $100 - $500 | Reflected XSS without persistence. Verbose error messages leaking internal IPs. Non-secure cookie flags. |
| Informational | Hall of fame + swag | Misconfiguration without exploitability. Outdated dependency without a known CVE path. |
Bounty awards are at the discretion of the security team and can be adjusted based on impact, exploit reliability, report quality, and proof-of-concept clarity. Duplicate reports are awarded only for the first eligible submission.
How to report
- Encrypt the report with our PGP key (fingerprint published in
the website footer once the program launches) and email
security@swqos.dev. Or, once the HackerOne program is live, file the report through the HackerOne portal. - Include:
- A clear, reproducible proof-of-concept.
- The affected target (one of the in-scope items above).
- Your CVSS 3.1 assessment of severity.
- Whether the issue has been publicly disclosed elsewhere.
- Wait. Acknowledgement within 24 h business days. Initial triage within 5 business days. Coordinated disclosure timeline agreed within 14 days of acknowledgement.
Safe harbor
We follow the disclose.io safe-harbor language. As long as the reporter:
- acts in good faith,
- does not access, modify, or destroy data belonging to others,
- does not degrade service availability for legitimate users,
- gives us reasonable time to remediate before public disclosure,
… we will not pursue DMCA, CFAA, or computer-misuse-act claims against the reporter, and we will work with the reporter on coordinated disclosure.
Verifying release artefacts
Every release shipped from releases.swqos.dev/ is built by the
GitHub Actions release workflow with SLSA-3 provenance. Reporters
investigating supply-chain claims can verify the provenance of any
published artefact using slsa-verifier:
# Install the verifier
go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest
# Verify a release artefact + its provenance
slsa-verifier verify-artifact \
--provenance-path <artefact>.intoto.jsonl \
--source-uri github.com/nodexpert-labs/swqos-marketplace \
<artefact>
The --source-uri value is pinned to the platform repository. A
verification failure on a published artefact is itself a critical
finding, so please report it.
References
- Threat model: defines the attack surface.
- PRD §9.9: pre-GA checklist requires a live bug bounty program.
- Design doc §7.10: vendor choice (HackerOne) and rationale.
.github/workflows/release.yml: SLSA-3 provenance workflow.