Andrii Stepanov
Marketing Manager

Meet ICP by DFINITY Foundation

Dfinity is a not-for-profit organization based in Zurich, Switzerland. Our mission is to develop technology that supports the next generation Internet Computer blockchain network and ecosystem.

Check Out The Rewards

If you find a vulnerability according to the bounty rules, DFINITY Foundation will reward you:

  • Critical: $25,000 – $50,000
  • High: $10,000 – $25,000
  • Medium: $2,000 – $10,000
  • Low: $500 – $2,000

Join The Bounty Hunt

There are three types of targets to scope:

  • Web
  • Protocol
  • Code

Make sure your reports contain info about these incidents:


  • The attack is easy to perform at a low cost and has a severe global impact.
  • Example. Disclosure of subnet key shares, Compromise of the integrity of the consensus process, for example, insertion of an arbitrary block into the blockchain, RCE in internal networks, memory underflow/overflow issues resulting in theft or illegal minting of exorbitant ( > $1M) amount of ICPs/Cycles*


  • The attack is relatively straightforward but may have additional constraints that may affect the ease or cost of the attack to a certain degree but still with a significant impact.
  • Example. A vulnerability that induces unauthorized access to neurons (access control bypass) but requires a significant amount of work per neuron, memory corruption of canisters resulting in loss of integrity but constrained by a limiting factor such as being exploitable only on canisters with certain pre-existing properties


  • The attack is difficult to perform, requires significant technical know-how and cost or the target may have to satisfy strict requirements in order to make a significant impact. Also, the attack that is simpler to perform but with moderate impact falls under this category.
  • Example. Memory corruption resulting in the crashing of replica process, Client-side vulnerability that allows stealing of credentials or keys from the client (ex, browser) by manipulating the user


  • The attack that is very difficult to perform or has a minor impact falls under this category.
  • Example. A bug resulting in an attacker controlling what is displayed to the user without affecting the server-side data, UI redress, A bug that is not demonstrably exploitable but could be exploitable with more research

Once you’re ready, click here to join the bounty hunt!