Avalanche is an open-source platform for launching highly decentralized applications, new financial primitives, and new interoperable blockchains.
The Avalanche Protocol bug bounty program covers the official Avalanche client (AvalancheGo) and related components.
Until further notice, dependency takeovers issues are not accepted as part of this program !
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
AvalancheGo |
Protocol | Critical | Bounty |
| Protocol | Critical | Bounty | |
subnet-evm |
Protocol | Critical | Bounty |
- For more information, please check https://docs.avax.network/ .
- Guide on how to create a Local Test Network
- If you have any questions regarding the environment or vulnerabilities, please reach out to [email protected]
In-Scope Vulnerabilities
The list is not limited to the following submissions but it gives an overview of what issues we care about:
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Price manipulation
- Fee payment bypass
- Balance manipulation
- Violation of Avalanche tokenomics
- Violation of the Avalanche consensus protocols (Avalanche and Snowman)
- Privacy violation (below Bitcoin level privacy)
- Cryptographic flaws
Out-of-Scope Vulnerabilities
- Network-level DoS
- Privacy beyond what Bitcoin offers
All rules in the General Program apply. In addition:
- Perform testing on a private testnet wherever possible
- If you discover a potential vulnerability on the production network (mainnet or public testnet), please attempt to validate the finding on a private testnet
- Please note: In cases where a size the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.