Skip to main content

Bug Bounty

If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it as per instructions on Web3 Foundation website. Disclosure to any third parties disqualifies bug bounty eligibility.

Bug bounty program scope

The bug bounty program does not cover bugs on code bases that are external to or, written on top of Polkadot, or that use Polkadot. To be eligible for the bug bounty program the bug has to be a part of the Polkadot codebase, this includes protocols that Polkadot uses such as AnV, XCM, GRANDPA, etc.

We call on our community and all bug bounty hunters to help identify bugs in Polkadot.

Eligibility

Generally speaking, any bug that poses a significant vulnerability, either to the soundness of protocols and protocol/implementation compliance to network security, to classical client security, as well as security of cryptographic primitives, could be eligible for a reward. Please note that it's entirely our discretion to decide whether a bug is significant enough to qualify for a reward.

note

The submission quality will be a significant factor in the level of considered compensation. A high-quality submission includes explaining how the bug can be reproduced, how it was discovered, and otherwise critical details. Please disclose responsibly; disclosure to any third parties disqualifies bug bounty eligibility.

Examples:

  • An attack that could disrupt the entire network and harm the validity to the network would be considered a critical threat.
  • An attack that would disrupt service to others would be regarded as a high threat.
Responsible investigation and reporting

Responsible investigation and reporting include, but isn't limited to, the following:

  • Don't violate the privacy of other users, destroy data, etc.
  • Don't defraud or harm Polkadot network or its users during your research; you should make a good faith effort not to interrupt or degrade our services.
  • Don't target the validators' physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
  • Initially, report the bug only to us and not to anyone else.
  • Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
  • In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to our users or us. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.

How to report a bug

Please follow the instructions at web3.foundation/security-report/.