Hall of Fame

See more...

News & Updates

See all news and updates...

Rules

We ask that you respect the following rules and guidelines. Repeated violations will lead to disqualification from the bounty program.

Reminders

Payout

The OWASP Risk Rating Methodology will be used for assessing vulnerabilities and determining payout amount.

owasp risk rating table

The impact on the Decred ecosystem will also be taken into consideration. An RCE in dcrwebapi (low impact) is not the same as an RCE in dcrd or Decrediton (higher impact). Once the payout amount is decided there will be no changes to the payout amount unless the vulnerability impact changes.

The following are also factors in the payout:

The bounty program is funded by the Decred Treasury, therefore all payments are in DCR only. Recipients are required to create a Decred wallet and provide a payment address. Payouts are sent at the beginning of each month using the average DCR/USDT rate of the previous month.

For vulnerabilities that require a patch rollout and pose a risk to other network participants, we might choose to only release 60% of the payout amount first and hold the 40% until a patch has been released and distributed.

The maximum approved budget for payouts is capped at 100,000 USD. Please be aware of this when you are submitting multiple critical vulnerabilities. If the limit is reached then a new proposal will have to be submitted and get stakeholder approval before you can be paid in full.

Successful bounty hunters will be given one month to claim due rewards, after which they will be considered forfeit.

Indicative payout amounts

Note: up to 500 USD

Low: up to 1,500 USD

Medium: up to 5,000 USD

High: up to 15,000 USD

Critical: up to 30,000 USD

In Scope

To be eligible for the bounty program, reports must be reproducible security vulnerabilities in the latest production release or the master branch of the following repositories.

GitHub Repo Description Language
dcrd* Full node implementation of Decred Go
dcrwallet* Daemon handling Decred wallet functionality Go
decrediton Cross-platform GUI wallet node.js using Electron
dcrwebapi HTTP API providing blockchain and ecosystem data Go
dcrtime Anchored timestamp client and server Go
cspp** CoinShuffle++ mixing protocol implementation Go
dcrdex*** Decentralized exchange powered by atomic swaps Go
vspd Voting Service Provider (VSP) implementation Go
dcrlnd**** Decred Lightning Network Daemon Go

* Private RPCs which by default listen on localhost only are out of scope.

** Only the csppsolver command and the solver and solverrpc packages are in scope.

*** Assets other than Bitcoin and Decred are out of scope. Companion app and dexadm are out of scope.

**** Scope has some limitations, please read the linked GitHub page before testing.

Ineligible Findings

Submit Vulnerability

Please follow a standard format when submitting vulnerabilities.

Title
Affected website or repository
Vulnerability Type
Details
Impact of Vulnerability
Reproduction or POC details
Fix
Submit Vulnerability