The list is not limited to the following submissions but it gives an overview of what issues we care about:
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Price manipulation
- Fee payment bypass
- Balance manipulation
- Violation of Avalanche tokenomics
- Violation of the Avalanche consensus protocols (Avalanche and Snowman)
- Privacy violation (below Bitcoin level privacy)
- Cryptographic flaws
- Remote panic over P2P-layer (NOT USING API AND NOT USING DENIAL-OF-SERVICE ATTACK)
- Denial-of-Service, OOM, or panic on any API exposed by AvalancheGo
- Network-level Denial-of-Service (TCP/IP/P2P)
- Misconfigurations of AvalancheGo nodes currently running on the Avalanche Network
All rules in the General Program apply. In addition:
- Don't violate the privacy of other users, destroy data, etc.
- Don't defraud or harm Avalanche network or its users during your research; you should make a good faith effort not to interrupt or degrade our services.
- Don't target the validators' physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
- Initially, report the bug only to us and not to anyone else.
- Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
- In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to our users or us. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
- Perform testing on a private testnet whenever possible
- If you discover a potential vulnerability on the production network (mainnet or public testnet), please attempt to validate the finding on a private testnet
Please note: In cases where the size of the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report