[New Bug Bounty] DFINITY Foundation Has Launched Bug Bounty With Up to $50,000 Reward Per Critical Vulnerability

Andrii Stepanov

Marketing Manager

2 Minutes Read

Updated:

Meet ICP by DFINITY Foundation

Dfinity is a not-for-profit organization based in Zurich, Switzerland. Our mission is to develop technology that supports the next generation Internet Computer blockchain network and ecosystem.

Check Out The Rewards

If you find a vulnerability according to the bounty rules, DFINITY Foundation will reward you:

Critical: $25,000 – $50,000
High: $10,000 – $25,000
Medium: $2,000 – $10,000
Low: $500 – $2,000

Join The Bounty Hunt

There are three types of targets to scope:

Web
Protocol
Code

Make sure your reports contain info about these incidents:

Critical

The attack is easy to perform at a low cost and has a severe global impact.
Example. Disclosure of subnet key shares, Compromise of the integrity of the consensus process, for example, insertion of an arbitrary block into the blockchain, RCE in internal networks, memory underflow/overflow issues resulting in theft or illegal minting of exorbitant ( > $1M) amount of ICPs/Cycles*

High

The attack is relatively straightforward but may have additional constraints that may affect the ease or cost of the attack to a certain degree but still with a significant impact.
Example. A vulnerability that induces unauthorized access to neurons (access control bypass) but requires a significant amount of work per neuron, memory corruption of canisters resulting in loss of integrity but constrained by a limiting factor such as being exploitable only on canisters with certain pre-existing properties

Medium

The attack is difficult to perform, requires significant technical know-how and cost or the target may have to satisfy strict requirements in order to make a significant impact. Also, the attack that is simpler to perform but with moderate impact falls under this category.
Example. Memory corruption resulting in the crashing of replica process, Client-side vulnerability that allows stealing of credentials or keys from the client (ex, browser) by manipulating the user

Low

The attack that is very difficult to perform or has a minor impact falls under this category.
Example. A bug resulting in an attacker controlling what is displayed to the user without affecting the server-side data, UI redress, A bug that is not demonstrably exploitable but could be exploitable with more research

Once you’re ready, click here to join the bounty hunt!