Grove's Bug Bounty Program

Grove offers a vulnerability disclosure program, colloquially known as a Bug Bounty Program. We treat Security as a first-class citizen. In addition to our own measures, we are more than happy to accept and reimburse for security suggestions and improvements to our Products.

How It Works

Current industry standards utilize the Common Vulnerability Scoring System (CVSS) v3.1 to calculate the severity of a software vulnerability across multiple dimensions, including impact, exploitability, remediation, etc. We’ve opted to do the same with our bug bounty program.

At present, our program stands as following: To qualify for a bounty, all reports must be emailed to portal@grove.city and include:

• A write-up summarizing the bug, the steps needed to reproduce it, its impact to Grove, and (optionally) any recommendations to resolve the issue.
• The CVSS v3.1 vector. This can be found on the National Vulnerability Database’s Calculator. An example of this would be AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H.
• A proof of concept, including all code needed to reproduce, with detailed instructions of how to do so.

The maximum total payout is then determined by the CVSS v3.1 score.

• Low (0.1 - 3.9) -> Up to $250 USDC
• Medium (4.0 - 6.9) -> Up to $750 USDC
• High (7.0 - 8.9) -> Up to $1,250 USDC
• Critical (9.0 - 10) -> Up to $2,500 USDC

These payouts represent the maximum amount for a confirmed vulnerability. To receive the full amount, a report will be expected to provide the following:

• Well written submissions that are able to describe the issue and impact to a non-technical audience.
• A well documented proof of concept that allows for easy reproduction of the issue.
• Clear and actionable steps that can be taken to resolve the issue.
• Amounts will be paid in USDC (Ethereum) to a wallet of the Reporter's choosing.

TL;DR

We have a bug bounty program that pays up to $2,500 in USDC. The bounty will be valid for all projects owned by Grove.