Bridge Bug Bounty
Blockchain bridges are crucial components connecting different blockchain systems. However, their significance and high transaction volume makes them prime targets for malicious attacks. Participate in our bug bounty program to help protect the vital connection between Polkadot and Kusama.
What's in scope?
Parity Bridges Common is a collection of components for building bridges. These include Substrate pallets for syncing headers and passing arbitrary messages, as well as libraries for building relayers to provide cross-chain communication capabilities.
What makes a good submission?
Ultimately, we’re after findings that have a real impact. Purely theoretical findings are sometimes entertaining to investigate, so feel free to send us any. However, it will only be eligible if there is a way to break our systems in practice. Here’s what we’re looking for:
Proof-of-concept
Provide a working proof-of-concept (or equivalent evidence) — assuming that your research didn’t produce unrecoverable changes. This helps us to evaluate whether your submission is within the program’s scope and usable in possible attacks.
Impact vision
Describe the potential impact and attack scenario, including necessary conditions.
Originality
Ensure the bug is original and previously unreported (with no traces of reporting in public issues or internal audits).Where applicable, include links to any issues or PR that lead to your discovery or introduction of the vulnerability.
How you get paid
Your hard work deserves recognition and reward! This section details the steps to receive payment for your valuable contributions, if approved.
Complete KYC
Eligible bug hunters will need to complete KYC to verify identity.
Sign reward letter
Sign a reward letter that details payment terms.
Provide address
Provide a DOT/KSM address for the reward payment.
Got a breakthrough?
Adhering to the guidelines will increase the chances of your report being accepted. Send your findings to bridgesbugbounty@polkadot.network
More infoRules of the road
This section outlines the dos and don’ts of submissions, helping you understand how to report critical flaws, manage duplicate submissions, and handle accidental access to sensitive data.
Submission timing
Only submissions received by the official start date are considered. If you suspect that the flaw you found may be fatal for the items in the scope, please do not take further action. Instead, describe your assumptions as detailed as possible in the report.
Report critical flaws
If you identify a significant vulnerability, please stop at the point of recognition, gather the minimum amount of evidence necessary to demonstrate the issue, and report the vulnerability.
Duplicate submissions
Duplicate submissions within 72 hours of each will split the bounty. If duplicate submissions are of unequal quality, the split will be at the level of the lesser report, and the greater report will receive a prorated additional bounty on top of the split. Despite striving to be transparent as much as possible, we do not disclose other participant’s names in such cases.
Accidental access
Notify us immediately at bridgesbugbounty@polkadot.network if you inadvertently access, modify, delete, or store user data by accident, and delete any stored data after notification.
Respect our infrastructure
Our security team will investigate and potentially increase the bounty if the impact is greater than initially assessed. Please refrain from attempts that could break the systems, as many participants share the bounty program resources.
Reward eligibility
A reward will be granted only after the vulnerability patch has been released. Sharing any part of the security issue with third parties is prohibited without our written consent.
No involvement in buggy code
You must not have written or contributed to the buggy code for the Polkadot/Kusama project.
Legal age and jurisdiction
You must be old enough to participate and receive payment according to the laws of your jurisdiction, or have consent from your parent or guardian.
Sanctions compliance
We might be prevented by law from paying you. For example, if you happen to live in a country on a sanctions list that applies to us. In such cases, we’re happy to make a donation to a well-established charity.
No exploitation
You must not either directly or indirectly exploit the security vulnerability for your own gain or encourage/assist others to do so.
One-time reward
Each bug is eligible for a reward only once.
Rules of conduct
Respect and integrity are crucial for a collaborative and secure environment. Upholding ethical behavior ensures that everyone can participate positively and productively.
Zero tolerance
Threats or extortion towards members of the Polkadot/Kusama ecosystem, including withholding security issues, releasing vulnerabilities or data to the public or third parties, or engaging in disruptive behavior, will lead to immediate disqualification.
Safe and supportive environment
We reserve the right to disqualify individuals acting in a malicious, disrespectful, or disruptive manner. Such actions undermine the shared goal of creating a safe and supportive space for all.
Reward mechanism
Rewards are determined by the severity of the findings. Top contributors may earn recognition in the Bounty Hall of Fame and be considered for the Polkadot Blockchain Academy.
Hall of fame
A Bounty Hall of Fame will be published and regularly updated based on new reports and associated criticality. If you wish to remain anonymous, your avatar can be used instead.
Financial rewards
Financial rewards will be awarded based on the criticality of the findings.
Priority candidacy
The top five contributors in the Bounty Hall of Fame will receive priority consideration for the Polkadot Blockchain Academy, with a reserved slot for the very top contributor.
