The 9th KIR: Ground X_Klaytn Bug Bounty Program

Klaytn_KIR · June 29, 2021, 9:01am

Summary

KLAY Funding

Proposed: KLAY worth USD 450,000

Proposal

Brief Introduction of the Project

Security is the most important property of Klaytn and security issues can lead to direct
financial losses as well as service failures. To maintain Klaytn security continuously, Klaytn
needs a long-term security program such as a bug bounty program. The bug bounty
program is a kind of proactive deal offering for White Hat hackers. The participants of the
program report bugs or security flaws and are compensated for their reporting.
The goal of this project is to run a bug bounty program for the security of the Klaytn client.
The Golang source code in the Klaytn GitHub repository is the main scope of the program,
and Ground X will operate a test node for program participants. If a bug is reported and
found positive, Ground X will mitigate the reported issue and send rewards to the reporter
via the bug bounty platform. All positively reported vulnerabilities, mitigations, and reward
history will be posted every two months in the form of a progress report. The project budget
will be used for two purposes: 1) Registration and operation fee on a bug bounty platform 2)
Reward for bug reporters. When the project is finished, the remaining budget will be
refunded to the KIR fund or will be used to maintain the program longer if we get enough
consent from the council.

Key Deliverables

The most important thing in this project is to run the bounty program fairly and transparently.
For fairness and transparency, we will write progress reports and a final report publicizing
the history of bounties. And, we will also provide a test environment to encourage more
engagement in the bounty program.

Progress/Final Reports
○ Summary of reported issues: Statistics of all reports and a summary of all
valid bug reports will be included.
○ Status of vulnerabilities and fixes: Status of bugs and source code update
history to fix the bugs will be included.
○ Reward details: All reward distribution history will be written. The attestation
of a bug bounty platform will be included also and we encourage the platform
to make the reward history public on their platform.
Running a test node for the bounty program
○ A public Klaytn node of the Baobab network will be operated during the
bounty program. Any white hackers can easily test using the public node.

Topic		Replies	Views
The 9th Klaytn Improvement Reserve Result Notice	0	572	July 12, 2021
The 18th KIR: Tatum_Public EN Operation Proposals_on review	0	390	September 22, 2022
The 18th KIR: Questbook_Klaytn Developer Grant Platform Proposals_on review	2	616	October 4, 2022
The 9th KIR: Mound_The Mound Dev Camp Completed	3	735	April 8, 2022
The 2nd KIR : Ground 1_Fee Delegation Policy _Progress Report(1) Completed	0	827	October 5, 2020