A trustless bug bounty program for Linux RISC-V applications
Bug bounty programs connect hackers and developers in the task of detecting bugs in exchange for rewards. The correctness of this process, however, is not formally enforced. As a result, developers might underestimate the severity of bugs and pay less than advertised, or even refuse to pay at all. To solve this issue, we introduce BugLess, a verifiable bug bounty program powered by Cartesi Rollups. With this solution, developers can clearly specify invariants for their application that, when violated, trigger a reward request to the righteous hacker.
Our project is mainly powered by Cartesi Rollups for reproducing the execution of a RISC-V machine running Linux. Inside this machine, the application uses the EggRoll framework for Cartesi applications written in Go. Thanks to several Linux security features, we are able to sandbox user-submitted code to avoid the bug bounty DApp itself being exploited.