Bug Bounty Program

• Make money by finding bugs in the functions listed below.
• You can purchase guarantee certificates to increase the bounty of a function of your choosing.
• Read more about the theory behind this program in the book Foundations of Computer Science.

Function	Library	Version	Bounty	Quality ($Y)
{{row.function}}	{{row.lib}}	v{{row.version}}	${{row.amount}}	{{row.dy}}	Under Review Candidate
Overview Function: {{row.function}} Library: {{row.lib}} v{{row.version}} Namespace: {{row.orgnamespace}} Scientific namespace: {{row.scinamespace}} Last bug found: {{row.awardtime}} by {{row.awardedTo}} Before a bug bounty was issued. Bounty: ${{row.amount}} Quality score: {{row.dy}} $Y (Dollar-Years) Report bug: [email protected] Status: Active Status: Candidate Status: Under Review About the function

About the Bug Bounty Program

Make money by finding bugs! Find bugs in functions in libraries. We select which functions in which libraries are a part of the bug bounty program. A function in a library enters the program if it 1) solves a problem and solves it well and 2) has been used in production for some time without a bug being reported or found.

The goal of this bug bounty program is to create completley bug free libraries that can be reused by anyone for all time. This is made possible by creating programs that only depend on the Timeless Instruction Set. This instruction set is stricter that most languages, which means that if it runs there, it most likely runs in most other languages as well.

These libraries are valuable even to those who do not use them directly. The libraries can be used as reference implementations or testing oracles for auditing other implementation of the same functionality.

Rules

• A bug is valid input to a function which then produces the wrong output. What are allowed inputs and correct outputs are described for each function in the bug bounty program.
• A bug report must merely contain the function being tested, the input to the function and the expected output. Send it to [email protected], and we will give you a reply swiftly.
• Out-of-memory exceptions or timeouts are not considered bugs unless it can be shown that these are because of another bug causing a too high memory usage or spending too much time.
• The bug must be reproducible when the code is run using the Timeless Instruction Set. In general, if the bug is present when running in Java, it will probably be present there as well.
• There is a publicly available list of functions in the bug bounty program with associated rewards for finding one bug. Only one bug will be considered at a time. Whether a bug is being considered will be shown in the list. If there is no bug being considered at this point in time, go search for one to earn the bounty!
• When a bug is reported, the bug bounty for that function will be marked as under review. If the bug is confirmed, the reward will be payed, the bug fixed and the library will go back to candidate status until we think it is of high enough quality to reenter the bug bounty program.
• If a bug is not found for some time, we will raise the bounty. If you would like to contribute to raising the bounty, you can purchase a bug guarantee certificate for a certain amount, and we will add that amount to the bounty (minus a fee). This money will then be awarded to someone who finds a bug, the bug will be fixed and you will be notified.

Building and Running the Libraries

Building and running the libraries are easy as they are all completely computational. Follow these guides to run and test the libraries:

• Run it directly in your browser using the links in the descriptions.
• Command Line
• IntelliJ IDEA

Once the tests run, you know you have successfully built the libraries and you can start looking for bugs. Most libraries have a function called test, run it to test the library, even in the browser. For example, for the JSON library. They usually return the number of tests that failed, so expect a return of 0.

Guarantee Certificates

You can buy a certificate for a function guaranteeing that it is bug-free. If a bug is found, the money will go to the person who found the bug (minus a fee). The more people buy these, the higher the rewards for finding bugs in this function will be. The higher the reward and the longer it stands, the less likely it is that there is a bug. Progsbase itself will issue rewards for finding bugs as well.

If there are no bugs found for a long time, we can issue certificates stating the current amount of rewards and how long they have stood, the library's dollar years. For example, if a bounty of $1000 has stood for four years, the dollar years will be 4000 dollar years. This can be used as an indication for the quality of the library.