Why Do You Need BugRap?

Maintaining product security is an ongoing task that demands constant vigilance and significant effort from project teams. In the realm of Web3, guaranteeing product security has become especially crucial.

At present, security audits are considered a crucial security measure for Web3 projects. Nevertheless, even if a security audit is passed, some projects still experience losses due to hacker attacks. This implies that a single or brief security audit may not be sufficient to address all security concerns of the product.Additionally, as product features continue to evolve and improve, there is a possibility of new security issues emerging.

To ensure the continuous security of a product, security audits should be supplemented with other security measures. BugRap’s bug bounty program is an effective addition to security audits and helps project teams to maintain their focus on security and ensure the safety of their products.

BugRap has a vast of white hat resources and collaborates with professional security companies to help project teams quickly detect and solve potential security issues. By partnering with BugRap, project teams can increase the involvement of white hats and foster a close working relationship with them. This partnership not only provides security assurance but also creates a mutually beneficial ecosystem that supports the long-term development of Web3 projects.

What Services Does BugRap Offer?

BugRap offers a bug bounty program that allows project teams to incentivize white hat hackers to report vulnerabilities, leading to prompt resolution of security issues. As part of this process,We provide:

1. Professional white hat security team

BugRap collaborates with various white hat hackers and security companies to gather professional security talents for continuous vulnerability testing of your project, as there is a scarcity of security experts and it is challenging to bring them together. These security talents include auditors from well-known auditing firms and members of the Web2 vulnerability bounty program hall of fame.

2. Flexible bug bounty programs

BugRap provides two options for vulnerability bounty programs, which are Public Bounties and Private Contests.

While Bounties are open to all white-hat users, KYC certification and application are necessary for accessing Contests.

For projects that require more secure measures, Contests offer a private testing option that allows for more precise control over the direction of vulnerabilities. This method only releases tasks to specific white-hat users and keeps the bounty program confidential, thereby providing project owners with more adaptable and manageable security protection.

3. Professional and efficient report review process

BugRap has a team of highly experienced security auditors who possess vast knowledge in security. Upon receiving vulnerability reports from white hat hackers, BugRap conducts validity checks to confirm the authenticity of the reports and to ensure that they fall within the project’s bounty scope. This process eliminates invalid reports, enabling the team to focus on addressing actual security issues.

4. User-friendly vulnerability management dashboard

Once you have logged in to your BugRap project account, you will be able to manage all the vulnerability reports for your project with ease. The dashboard allows you to view, confirm, resolve, and pay bounty for the reports conveniently, all on a single page, thereby streamlining the management process and making it more effective and professional.

5. PR and brand influence

Once you have joined BugRap, we will maintain high-quality promotional interactions with your project. After receiving vulnerability reports and obtaining your permission, we will write articles with high traffic and exposure based on the vulnerability reports, showcasing your project’s high regard for security and professional processes for handling vulnerability reports to the crypto community.

How Does It Work?

1. Settle-in

• Submit project in application form, fill in basic information project.
• BugRap will contact you within three working days to discuss project details and draft a bug bounty policy.
• Confirm the bug bounty policy.
• Confirm the bounty program startup time and marketing promotion details.

2. Fee

How much does it cost to launch your bug bounty program on BugRap?

The answer is zero!

You only need to pay the bounty to the white hat author who submits a valid vulnerability report and after it has been fixed. Additionally, you will need to pay BugRap a service fee of 10% of the bounty amount.

• $0 onboarding fee
• $0 management fee
• $0 consultation fee for drafting a bounty program.
• 10% BugRap performance fee (charged on top of the payout) for vulnerabilities found
• No deposits
• The project teams can customize the bounty amount and adjust it anytime based on their security budget.

Process of reward's dispersion

BugRap utilize the pool of WhiteHat hackers to explore the vulnerabilities of proposed projects. Project teams will be able to deal with potential security risks timely and thus making project teams and users feel more secured in the project itself.

Reports submitted by WhiteHat hackers will go through the following process: (Report-> Review->Fixed->Reward)

Report:

WhiteHat hackers browse the website (URL: https://bugrap.io ) to search for projects and submit bugs

Review:

• BugRap security team will do the due-diligence on the vulnerability report received. BugRap security team will start by evaluating the report, verify the authenticity of it, then filtering out the relevant information/feedback to the project team within one working day.

• The project team will be assigned to solve the vulnerability and assess the risk level as well as the impacted area. BugRap team will also assist the project team to verify the bug and risk level in three working days.

Fix:

• BugRap security team and the WhiteHat hackers will assist the project team to discuss the identified problems and determine the best solution.

• The project team will carry out the fix. The fix time will be determined according to the severity and difficulty level of the problem. Generally speaking, within 24 hours for serious and high-risk problems, within three working days for medium-risk problems, and within seven working days for low-risk problems. The fix time shall be determined by the situation.

• BugRap security team and WhiteHat hackers will assist the project team to review and verify the fixed issues to ensure proper implementation of the fix.

Reward:

• The project team updates BugRap team of the resolution conclusion, risk rating, then rewards the bounty to the WhiteHat hacker.

• The project team can choose whether to disclose the report.

3. Entry process of bug bounty

After the agreement contract has been signed between the project team and BugRap team, the project team will then pay the basic service fee, and BugRap team will provide the project team with:

• Partnership between the project team and BugRap team will be announced publicly, media/press release will be made by the project team and BugRap team;

• Bug bounty program will be marketed to the WhiteHat hackers communities;

• BugRap team will be handling the communication between the project team and the WhiteHat hackers;

• Configure the access rights and notification rights of the vulnerability bounty review system;

• The project team shall pay an additional 10% fee of the bounty to BugRap upon the confirmation of authenticity on the vulnerabilities.

4. Vulnerability type definition and scoring basis

After the vulnerability submitted by WhiteHat hackers, BugRap team will define the vulnerability type and score the overall vulnerability according to relevant international standards in the pre-audit stage.

• The types of smart contract security vulnerabilities will be defined by SWC and DASP standards;

• Web, software and hardware security vulnerability types will be defined by OWASP, CWE standards;

• CVSS standards will be used for vulnerability rating.

After the pre-audit is passed, the project team will set the reward amount according to the information provided by the BugRap team and the impact of the vulnerability on the business and capital.

Contest: Private and Controllable Bug Bounty

In addition, BugRap platform also provides Contest that has existed in the traditional security field, i.e. private and controllable Bug Bounty. Contest projects are created by the project team and BugRap platform under joint agreement, such projects are not publicly displayed and only certified Whitehat hackers from the platform are allowed to participate. Regarding the certified WhiteHat, it refers to those who have reported valid vulnerabilities on the platform and submitted KYC information to the platform, and then become a certified WhiteHat after passing the platform audit.

Contest projects, in the submission of vulnerabilities and vulnerability processing process has no difference with the general projects.

Disclaimer and Confidentiality

In view of the fact that the bug bounty service is a continuous and in-depth security cooperation, both parties shall adhere to the principle of "positive, transparent and comprehensive" information exchange and communication and feedback. On this basis, BugRap and the project party shall keep confidentiality the contents of each other's output, and it is strictly prohibited to share or disclose them to any third party without informing them. This bug bounty service focuses purely on technical support and does not constitute an endorsement or endorsement of non-secure matters of the project side.

Contact us

Website：bugrap.io

E-mail : bugbounty@bugrap.io

Twitter : @BugRap_Team

Medium：https://medium.com/@BugRap_Team/bugrap-bug-bounty-platform-for-web3-security-4ce3f4caf464