Qtum Security-vulnerabilities and Threat-intelligence Bounty Programme

Table of Contents

Scope of Business

Includes all the code in the codebase: https://github.com/Qtumproject/Qtum

Processing Flow

Reporting Stage

The reporter visits "SlowMist Zone" website and goes to "Submit Bug Bounty" (URL:https://slowmist.io/en/bug-bounty.html) to submit a threat intelligence. (Status: pending review)

Processing Stage

1. Within one working day, the SlowMist Security Team will confirm the threat intelligence report from the "SlowMist Zone", follow up, evaluate the problem, and feed the intelligence back to the Qtum contact person in the meantime (status: under review).

2. Within three working days, the Qtum technical team will deal with the problem, draw conclusions and record points (status: confirmed / ignored). They will communicate with the reporter if necessary, and ask the reporter for assistance.

Repairing Stage

1. The Qtum business department shall repair the security problems in the threat intelligence and update online (status: repaired). The repairing timeframe depends on the problem severity and the repair difficulty. Generally speaking, it is within 24 hours for the critical and high-risk problems, within 3 working days for the medium-risk problems, and within 7 working days for the low-risk problems. The App security issue is limited by the version release, and the repairing timeframe is on a case-by-case basis.

2. The reporter will review whether the security problem has been repaired (Status: reviewed/reviewed with objection).

3. After the reporter confirms that the security problem is repaired, the Qtum technical team will inform the SlowMist Security Team of the conclusion and the vulnerability score. They will issue rewards with the SlowMist Security Team (status: completed).

Vulnerability Level and Reward Standards

Level Qtum Reward SlowMist Zone Reward*
Submit and solve problems Submit a question only
Critical $10,000 $2,000 512 SLOWMIST
High $5,000 $1,000 256 SLOWMIST
Medium $2,500 $600 100 SLOWMIST
Low $1,200 $300 32 SLOWMIST
Improvement $600 $200 32 SLOWMIST

*SLOWMIST is Ethereum ERC20 Token, the ecological incentive token for the SlowMist Zone.

*Note: in US dollars. The final release will be in the form of equal value BTC, please fill in the bitcoin address when submitting the vulnerability.

1. For issues that have been reported on Bitcoin, Ethereum, etc., the bounty will be discounted accordingly.

2. The values in the table are the highest rewards for each level, and the specific award amount will be determined by the Qtum security team. For the issuance of rewards, we will also refer to several of them for review. If you only submit the vulnerability, only need to focus on the materials submitted.


1. If there is already a similar issue or the Qtum team already knows and is working on the issue, it will not apply to the bounty plan.

2. There will be no bounty if the problem is made public and causes harm before it is resolved.

3. When repairing, please fork the code to your own repository for repair, and then submit the pull request to merge into master branch after the Qtum member review.

4. Qtum team members are employed by the Qtum Foundation, and Qtum members will not receive a bounty if they participate in bug fixes directly or indirectly.

5. The bounty program to solve the Qatum core product technology to enhance product robustness. Qtum websites, forums, organizational structures, etc. are not included in the bounty program.

6. The award of the bounty plan is related to many factors, such as workload, influence scope, severity, etc. The specific amount of the bounty plan is subject to the conclusion of Qtum security team.

Submitted materials (25%):

Complete the report materials.

Code fixes (50%):

Code fixes are completed without introducing new problems, if there are new problems were introduced, they need to be resolved in the same commit.

If you don't do the code fix, just provide the repair suggestions, the bounty will be discounted.

Automated test script coverage or manual test method specification (25%)

Automated test scripts play an extremely important role in continuous integration of code and quality control under rapid iteration, so the improvement of automated test scripts will be an important assessment indicator:

Critical Vulnerabilities

A critical vulnerability refers to the vulnerability occurs in the core business system (the core control system, field control, business distribution system, fortress machine and other control systems that can manage a large number of systems). It can cause a severe impact, gain business system control access (depending on the actual situation), gain core system management staff access, and even control the core system.

Including but not limited to:

High-risk Vulnerabilities

Medium-risk Vulnerabilities

Low-risk Vulnerabilities

Vulnerabilities that are not accepted at the moment (even if such a vulnerability is submitted, it will be ignored)

Prohibited behaviors

Special thanks to The xianzhi vulnerability classification criteria referred here.