You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
1.7 KiB

7 years ago
7 years ago
  1. # Security
  2. As part of our [Coordinated Vulnerability Disclosure
  3. Policy](https://tendermint.com/security), we operate a [bug
  4. bounty](https://hackerone.com/tendermint).
  5. See the policy for more details on submissions and rewards.
  6. Here is a list of examples of the kinds of bugs we're most interested in:
  7. ## Specification
  8. - Conceptual flaws
  9. - Ambiguities, inconsistencies, or incorrect statements
  10. - Mis-match between specification and implementation of any component
  11. ## Consensus
  12. Assuming less than 1/3 of the voting power is Byzantine (malicious):
  13. - Validation of blockchain data structures, including blocks, block parts,
  14. votes, and so on
  15. - Execution of blocks
  16. - Validator set changes
  17. - Proposer round robin
  18. - Two nodes committing conflicting blocks for the same height (safety failure)
  19. - A correct node signing conflicting votes
  20. - A node halting (liveness failure)
  21. - Syncing new and old nodes
  22. ## Networking
  23. - Authenticated encryption (MITM, information leakage)
  24. - Eclipse attacks
  25. - Sybil attacks
  26. - Long-range attacks
  27. - Denial-of-Service
  28. ## RPC
  29. - Write-access to anything besides sending transactions
  30. - Denial-of-Service
  31. - Leakage of secrets
  32. ## Denial-of-Service
  33. Attacks may come through the P2P network or the RPC:
  34. - Amplification attacks
  35. - Resource abuse
  36. - Deadlocks and race conditions
  37. - Panics and unhandled errors
  38. ## Libraries
  39. - Serialization (Amino)
  40. - Reading/Writing files and databases
  41. - Logging and monitoring
  42. ## Cryptography
  43. - Elliptic curves for validator signatures
  44. - Hash algorithms and Merkle trees for block validation
  45. - Authenticated encryption for P2P connections
  46. ## Light Client
  47. - Validation of blockchain data structures
  48. - Correctly validating an incorrect proof
  49. - Incorrectly validating a correct proof
  50. - Syncing validator set changes