Rules & Rewards
Keep is committed to helping you succeed on this program and to building a robust decentralized network. To this end, they've set up a Discord server that anyone can join, and technical documentation to help you run Keep's random beacon client and start staking on testnet.
Current Game of Keeps
The current game of Keeps begins on April 15th.
Judges will determine what the reward status for each entry is, in their sole discretion. Programs that are suggested by the judges will have their reward status posted.
- Level 1: Up to 100,000 Keep
- Level 2: Up to 10,000 Keep
- Level 3: Up to 1,000 Keep
- Level 4: Up to 500 Keep
- Level 5: No Keep
In addition to severity, other variables are also considered when the judges decide the score, including (but not limited to):
- User Demand. Higher rewards are paid for projects that will be demanded by the users.
- Quality of description. Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward. Please see the docs and repos to learn more about our test suite in the official documentation.
- Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.
- This Game of Keeps follows Keeps Standard Disclosure Terms, which are summarized here.
- Each submission will be judged by a panel of independent judges. The number of selection of judges may change throughout the Game of Keeps.
- Judges will attempt to announce winners bi-weekly. However, this schedule may change based on a variety of factors, including the number of submissions.
- Issues or projects that have already been submitted by another user or are already known to the Keep team are not eligible for bounty rewards.
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- You can start or fork a private chain for bug hunting. Please respect the Keep main and test networks and refrain from attacking them.
- Keep's core development team, employees and all other people paid by the Keep project, directly or indirectly, are not eligible for rewards.
- Anyone who works with the codebase as a professional Keep developer is not eligible for rewards.
- Keep websites or Keep Foundation infrastructure in general, are NOT part of the bounty program.
- Keep bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Keep Foundation bug bounty panel.
There is only one simple way you can register for the Game of Keeps:
When submitting, please be sure to include email credentials and all recent IPs.
- Documentation "for humans". Help more people stake
- Staking guides for different kinds of hardware
- Bug & security reports
- Improvements to the Keep client & contracts and the tBTC system
- Translations of documentation and websites
- Extensions to the Keep token dashboard
- a tBTC deposit explorer
- a tBTC liquidation auction dApp
- tBTC on Tornado Cash
- tBTC on DEXs, especially newer DEXs like Loopring
- a tBTC deposit widget based on tbtc.js, simplifying integration for new devs
- Headers used to maintain session state (Session ID)
- Scheduled infrastructure changes
- Enumeration attacks require prior notification and approval
Keep wants to help you!
If you have a great idea, something that you feel is close to exploitation, or if you'd like some information regarding the internal API, or generally have any questions regarding Keep that would help in your efforts, please create a submission and ask for that information.
If conducting vulnerability research against this program, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith. You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Any submissions to the Game of Keeps requires explicit permission to disclose the results of a submission.
Standard Disclosure Terms
The Submission Process
If you believe you have discovered a vulnerability, please create a submission for the appropriate program through the Keep platform. Each program has a set of guidelines called the Program Brief. The program brief is maintained by the Program Owner. Terms specified in the program brief supersede these terms.
Each submission will be updated with significant events, including when the issue has been validated, when we need more information from you, or when you have qualified for a reward.
Each submission is evaluated by the Program Owner on the basis of first-to-find. Keep may assist in the evaluation process.
You will qualify for a reward if you were the first person to alert the Program Owner to a previously unknown issue AND the issue triggers a code or configuration change.
Standard Program Rules
We are committed to protecting the interests of Security Researchers. The more closely your behavior follows these rules, the more we'll be able to protect you if a difficult situation escalates.
Rules can vary for each program. Please carefully read the program brief for specific rules. These rules apply to all programs:
- Testing should be performed only on systems listed under the program brief 'Targets' section. Any other systems are Out Of Scope.
- Except when otherwise noted in the program brief, you should create accounts for testing purposes.
- Submissions must be made exclusively through Keep to be considered for a reward.
- Communication regarding submissions must remain within Keep and/or official Keep support channels for the duration of the disclosure process.
- Actions which affect the integrity or availability of program targets are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all use of automated tools.
- Submissions should have impact to the target's security posture. Impact means the reported issue affects the target's users, systems, or data security in a meaningful way. Submitters may be asked to defend the impact in order to qualify for a reward.
- Submissions may be closed if a Researcher is non-responsive to requests for information after 7 days.
- The existence or details of private or invitation-only programs must not be communicated to anyone who is not a Keep employee or an authorized employee of the organization responsible for the program.
- We encourage Researchers to include a video or screenshot Proof-of-Concept in their submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (i.e. YouTube, Imgur, etc.). If the file exceeds 100MB, upload the file to a secure online service such as Vimeo, with a password.
Usernames and Passwords
You will need to set up a Keep Discord account and user name in order to participate in Play for Keeps. You may not use a third party's account without permission. When you are setting up your account, you must give us accurate and complete information. This means that you cannot set up an account using a name or contact information that does not apply to you, and you must provide accurate and current information on all registration forms that are part of the Website. You may only set up one account. You have complete responsibility for your account and everything that happens on your account. This means you need to be careful with your password. If you find out that someone is using your account without your permission, you must let us know immediately. You may not transfer your account to someone else. We are not liable for any damages or losses caused by someone using your account without your permission. However, if we (or anyone else) suffer any damage due to the unauthorized use of your account, you may be liable. Keep may deny the use of certain user names or require certain user names be changed at Keep's sole discretion and/or to comply with end customers' requirements. User names with offensive or discriminatory words are prohibited.
Official Support Channels and Private Communication
During the course of each program, the Keep team may communicate updates via:
- 'Program Updates' section within the program
- Discord or other chat platforms
If you have questions about a program or a specific submission, you may contact the Keep team via: