This is a brief account of my experience reporting a critical bug in Amoveo on 7/8/2018.
My name is Isaac Cook and I've been a developer in the cryptocurrency space since 2014. I've been developing web applications since 2003. I co-authored the open source SimpleCoin mining pool software and ran an auto-exchanging multi-pool for a few years, and then more recently designed/built/operate https://qtrade.io, a new exchange platform. I have a degree in Computer Science from University of Kansas.
The qTrade platform will be supporting VEO in the near future, and as such I've
been working to integrate our exchange software with Amoveo. We have a security
requirement that transaction signing happens in a separate cluster from the
rest of the site, and to support this with Amoveo we've developed a custom
signing solution that creates raw Amoveo transactions. In the process of
testing our software we created a transaction with a negative amount, which
then caused an integer underflow on the recipients account balance. This
underflow could be exploited to create large amounts of VEO.
Given the severity of the bug I contacted Zack and inquired about a bounty program and proper disclosure channels. After some back and forth with the details Zack was able to replicate the bug and promptly paid a bounty of 30 VEO, which was more generous than I requested. In under 24 hours after replication the bug was patched and all mining pools were notified and running the new code.
In the future I intend to do further security testing of VEO. With it supported on our exchange, a security flaw in VEO exposes us to risk as well. I plan to work with Zack in the future to resolve any concerns that we find, and it is my hope that a clear bounty program be outlined similar to the Ethereum Foundation's program to help encourage and support responsible disclosure.