Avalanche is an open-source platform for launching highly decentralized applications, new financial primitives, and new interoperable blockchains.
The Avalanche Protocol bug bounty program covers the official Avalanche client (AvalancheGo) and related components.
Please note: In cases where a size the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
AvalancheGo |
Protocol | Critical | Bounty |
| Protocol | Critical | Bounty | |
subnet-evm |
Protocol | Critical | Bounty |
- For more information, please check https://docs.avax.network/ .
- Guide on how to create a Local Test Network
- If you have any questions regarding the environment or vulnerabilities, please reach out to [email protected]
In-Scope Vulnerabilities
The list is not limited to the following submissions but it gives an overview of what issues we care about:
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Price manipulation
- Fee payment bypass
- Balance manipulation
- Violation of Avalanche tokenomics
- Violation of the Avalanche consensus protocols (Avalanche and Snowman)
- Privacy violation (below Bitcoin level privacy)
- Cryptographic flaws
- Remote panic over P2P-layer (NOT USING API AND NOT USING DENIAL-OF-SERVICE ATTACK)
Out-of-Scope Vulnerabilities
- Denial-of-Service, OOM, or panic on any API exposed by AvalancheGo
- Network-level Denial-of-Service (TCP/IP/P2P)
- Misconfigurations of AvalancheGo nodes currently running on the Avalanche Network
All rules in the General Program apply. In addition:
- Don't violate the privacy of other users, destroy data, etc.
- Don't defraud or harm Avalanche network or its users during your research; you should make a good faith effort not to interrupt or degrade our services.
- Don't target the validators' physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
- Initially, report the bug only to us and not to anyone else.
- Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
- In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to our users or us. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
- Perform testing on a private testnet whenever possible
- If you discover a potential vulnerability on the production network (mainnet or public testnet), please attempt to validate the finding on a private testnet
Please note: In cases where the size of the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report