story-protocol

story-protocol

@Story
Live

Maximum reward

600,000 USD (in $IP)

Severity

Max. Reward

Critical

600,000 USD (in $IP)

High

50,000 USD (in $IP)

Medium

10,000 USD (in $IP)

Low

2,000 USD (in $IP)

Informational

100 USD (in $IP)

No deposit required

Findings submitted

134

Start date

11 Feb 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

Story Protocol is a peer-to-peer intellectual property network that creates a programmable market for knowledge and creativity. Scientific and creative assets are registered on a universal ledger with customizable usage parameters.

All assets are equipped with a composable interface that can be consumed by any software application or artificial intelligence model, allowing intellectual property to be used and monetized across the internet. A network-wide graph coordinates all intellectual property assets, with nodes representing atomic assets and edges representing the legal and economic commitments between them.

The network evaluates the uniqueness of each asset via an asynchronous and decentralized validation service driven by cryptoeconomic incentives. Participation in the protocol contributes to the growth of the only open and permissionless repository of the world’s knowledge and creativity.

Scope

The World's IP Blockchain has several layers: Layer 1 blockchain (Cosmos fork as CL, Geth fork with IPGraph precompile as EL), Proof of Creativity smart contract protocol and several apps to help users.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity LevelImpact: CriticalImpact: HighImpact: MediumImpact: Low
Likelihood: HighCriticalHighMediumLow
Likelihood: MediumHighHighMediumLow
Likelihood: LowMediumMediumLowInformational

Likelihood Definitions:

  • High: Very easy to exploit (no monetary cost for hacker or negligible) or highly incentivized.
  • Medium: Exploitation is possible under certain conditions.
  • Low: Difficult to exploit or requires highly specific conditions.

Impact Definitions

See Assets in Scope section

Payout Guidelines

Payments will be in $IP tokens, using 30 days median USD price

Actual reward amounts are determined at Story Protocol’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.

Program Rules

  • Theoretical entries, entries without any working POC and ones generated with ChatGPT/LLM tools will be discarded. Any medium or higher severity vulnerabilities should come with a working POC that can be demonstrated on a local test environment that can be reproduced with the instructions in the appendix.
  • You must send a clear and concise textual description of vulnerability, along with steps to reproduce the issue and/or a Proof of Concept, include attachments such as screenshots or proof of concept code as necessary.
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic.
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure.
  • Avoid compromising any personal data, interruption, or degradation of any service.
  • Don't access or modify other user data, localize all tests to your accounts.
  • Perform testing only within the scope.
  • Don't exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam.
  • Don't spam forms or account creation flows using automated scanners.
  • Don't break any law and stay in the defined scope.
  • Any details of found vulnerabilities must not be communicated to anyone who is not Cantina Team or an authorized employee of Piplabs or Story Foundation without appropriate permission.
  • In case that your findings is valid you will be asked for KYC verification to proceed with payments.

Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • Current employees ,vendors (auditors), partners and contractors of Story Protocol and Story Foundation are not eligible to participate in the bug bounty program.
  • Former employees and contractors of Piplabs and Story Foundation, who ceased working with the aforementioned entities must wait 6 months before they are eligible to participate in the bug bounty program.
  • Sanctioned individuals and/or organizations are not eligible to participate in the bug bounty program. These restrictions are put in place to ensure the objectivity of the bug bounty program and to prevent any potential conflicts of interest.
  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through Cantina.

Disclosure Guidelines

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • No vulnerability disclosure, including partial is allowed for the moment. The team will disclose the vulnerability publicly when safe, thanking the researcher if they choose to.

Response Times

  • Critical: Response within 24 hours.
  • High: Response within 48 hours.
  • Medium and Low: Response within 72 hours.