Ontology Security Vulnerabilities and Threat Intelligence Bounty Programme

Table of Contents

Scope of Business

1. Ontology Blockchain (GitHub:https://github.com/ontio)

2. Ontology Wallets

Processing Flow

Reporting Stage

The reporter visits "SlowMist Zone" website and goes to "Submit Bug Bounty" (URL:https://slowmist.io/en/bug-bounty.html) to submit a vulnerability report (Status: Under Review).

Processing Stage

1. Within 1 working day, the SlowMist Security Team will confirm the vulnerability report from the "SlowMist Zone", follow up, evaluate the problem, and send the threat intelligence back to the Ontology contact person (Status: Under Review).

2. Within 3-10 working days, the Ontology technical team will address the bug, draw conclusions and record points (Status: Confirmed/Ignored). They will communicate with the reporter if necessary, and ask the reporter for assistance.

Fixing Stage

1. The Ontology team shall fix the security bugs identified by the vulnerability report and provide updates online (Status: Fixed). The fixing time frame depends on the bug’s severity and the repair difficulty. Generally speaking, it is within 24 hours for critical and high risk bugs, within 3 working days for medium risk bugs, and within 7 working days for low risk bugs. The app security issue is limited by the version release, and the repairing timeframe is determined on a case-by-case basis.

2. The reporter will review whether the security bug has been fixed (Status: Reviewed/Reviewed With Objection).

3. After the reporter confirms that the security bug is fixed, the Ontology technical team will inform the SlowMist Security Team of the conclusion and the vulnerability score. They will issue rewards to the SlowMist Security Team (Status: Completed).

Vulnerability Level and Reward Standards

Level Ontology Reward* SlowMist Zone Reward*
Critical $12000 equivalent ONG 512 SLOWMIST
High 3200 ONG 256 SLOWMIST
Medium 1600 ONG 100 SLOWMIST

*Remark: The final award depends on the severity and true impact of the vulnerability. The values in the table are the highest rewards for each level. Critical vulnerabilities reward will be in the form of ONG at the price of ONG/USDT the day before the issue.

*SLOWMIST is the integral of the SlowMist Zone.

Critical Vulnerabilities

A critical vulnerability refers to a vulnerability that occurs in the core business system (the core control system, field control, business distribution system, fortress machine and other control systems that can manage a large number of systems). It can cause a severe impact, gain business system control access (depending on the situation), gain core system management staff access, and even control the core system.

Critical vulnerabilities include but are not limited to:

High Risk Vulnerabilities

High risk vulnerabilities include but are not limited to:

Medium Risk Vulnerabilities

Medium risk vulnerabilities include but are not limited to:

Low Risk Vulnerabilities

Low risk vulnerabilities include but are not limited to:

Vulnerabilities That Are Not Accepted (even if such a vulnerability is submitted, it will be ignored)

Prohibited Behaviors

Special thanks to the xianzhi and cnvd vulnerability classification criteria referred to here.