Bridge Bug Bounty

Blockchain bridges are crucial components connecting different blockchain systems. However, their significance and high transaction volume makes them prime targets for malicious attacks. Participate in our bug bounty program to help protect the vital connection between Polkadot and Kusama.

What's in scope?

Parity Bridges Common is a collection of components for building bridges. These include Substrate pallets for syncing headers and passing arbitrary messages, as well as libraries for building relayers to provide cross-chain communication capabilities.

What makes a good submission?

Ultimately, we’re after findings that have a real impact. Purely theoretical findings are sometimes entertaining to investigate, so feel free to send us any. However, it will only be eligible if there is a way to break our systems in practice. Here’s what we’re looking for:

Proof-of-concept

Provide a working proof-of-concept (or equivalent evidence) — assuming that your research didn’t produce unrecoverable changes. This helps us to evaluate whether your submission is within the program’s scope and usable in possible attacks.

Impact vision

Describe the potential impact and attack scenario, including necessary conditions.

Originality

Ensure the bug is original and previously unreported (with no traces of reporting in public issues or internal audits).Where applicable, include links to any issues or PR that lead to your discovery or introduction of the vulnerability.

How you get paid

Your hard work deserves recognition and reward! This section details the steps to receive payment for your valuable contributions, if approved.

Step 1

Complete KYC

Eligible bug hunters will need to complete KYC to verify identity.

Step 2

Sign reward letter

Sign a reward letter that details payment terms.

Step 3

Provide address

Provide a DOT/KSM address for the reward payment.

Got a breakthrough?

Adhering to the guidelines will increase the chances of your report being accepted. Send your findings to bridgesbugbounty@polkadot.network

More info

Rules of the road

This section outlines the dos and don’ts of submissions, helping you understand how to report critical flaws, manage duplicate submissions, and handle accidental access to sensitive data.

Submission timing

Only submissions received by the official start date are considered. If you suspect that the flaw you found may be fatal for the items in the scope, please do not take further action. Instead, describe your assumptions as detailed as possible in the report.

Report critical flaws

If you identify a significant vulnerability, please stop at the point of recognition, gather the minimum amount of evidence necessary to demonstrate the issue, and report the vulnerability.

Duplicate submissions

Duplicate submissions within 72 hours of each will split the bounty. If duplicate submissions are of unequal quality, the split will be at the level of the lesser report, and the greater report will receive a prorated additional bounty on top of the split. Despite striving to be transparent as much as possible, we do not disclose other participant’s names in such cases.

Accidental access

Notify us immediately at bridgesbugbounty@polkadot.network if you inadvertently access, modify, delete, or store user data by accident, and delete any stored data after notification.

Respect our infrastructure

Our security team will investigate and potentially increase the bounty if the impact is greater than initially assessed. Please refrain from attempts that could break the systems, as many participants share the bounty program resources.

Reward eligibility

A reward will be granted only after the vulnerability patch has been released. Sharing any part of the security issue with third parties is prohibited without our written consent.

No involvement in buggy code

You must not have written or contributed to the buggy code for the Polkadot/Kusama project.

Legal age and jurisdiction

You must be old enough to participate and receive payment according to the laws of your jurisdiction, or have consent from your parent or guardian.

Sanctions compliance

We might be prevented by law from paying you. For example, if you happen to live in a country on a sanctions list that applies to us. In such cases, we’re happy to make a donation to a well-established charity.

No exploitation

You must not either directly or indirectly exploit the security vulnerability for your own gain or encourage/assist others to do so.

One-time reward

Each bug is eligible for a reward only once.

Rules of conduct

Respect and integrity are crucial for a collaborative and secure environment. Upholding ethical behavior ensures that everyone can participate positively and productively.

Zero tolerance

Threats or extortion towards members of the Polkadot/Kusama ecosystem, including withholding security issues, releasing vulnerabilities or data to the public or third parties, or engaging in disruptive behavior, will lead to immediate disqualification.

Safe and supportive environment

We reserve the right to disqualify individuals acting in a malicious, disrespectful, or disruptive manner. Such actions undermine the shared goal of creating a safe and supportive space for all.

Reward mechanism

Rewards are determined by the severity of the findings. Top contributors may earn recognition in the Bounty Hall of Fame and be considered for the Polkadot Blockchain Academy.

Hall of fame

A Bounty Hall of Fame will be published and regularly updated based on new reports and associated criticality. If you wish to remain anonymous, your avatar can be used instead.

Financial rewards

Financial rewards will be awarded based on the criticality of the findings.

Priority candidacy

The top five contributors in the Bounty Hall of Fame will receive priority consideration for the Polkadot Blockchain Academy, with a reserved slot for the very top contributor.

Legal and privacy