BugLess

Screenshots

Problem Statement

Bug bounty programs connect hackers and developers in the task of detecting bugs in exchange for rewards. The correctness of this process, however, is not formally enforced. As a result, developers might underestimate the severity of bugs and pay less than advertised, or even refuse to pay at all. To solve this issue, we introduce BugLess, a verifiable bug bounty program powered by Cartesi Rollups. With this solution, developers can clearly specify invariants for their application that, when violated, trigger a reward request to the righteous hacker.

Solution

Our project is mainly powered by Cartesi Rollups for reproducing the execution of a RISC-V machine running Linux. Inside this machine, the application uses the EggRoll framework for Cartesi applications written in Go. Thanks to several Linux security features, we are able to sandbox user-submitted code to avoid the bug bounty DApp itself being exploited.