'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Bug bounty program 
KYC required POC required $20 submission fee Aptos is a next-generation Layer 1 blockchain. Aptos’ breakthrough technology and programming language, Move, are designed to evolve, improve performance and strengthen user safeguards.
The Aptos Foundation ("Aptos", "we", or "us") welcomes feedback from security researchers and the general public to help improve the security of the Aptos Network, and, at its sole discretion, offers bounty rewards ("Rewards") for security reports that identify previously unknown, in-scope security vulnerabilities.
| Target | Type | Severity |
|---|---|---|
https://github.com/aptos-labs/aptos-core/tree/mainnet  Copy  Copied | Code | Critical |
Copied | Target | Type | Severity |
|---|---|---|
https://github.com/aptos-labs/aptos-core/tree/mainnet/consensus/src/dag Copy Copied | Code | None |
https://github.com/aptos-labs/aptos-core/tree/mainnet/experimental Copy Copied | Code | None |
https://github.com/aptos-labs/aptos-core/tree/mainnet/keyless/pepper Copy Copied | Code | None |
[AIP-103] Permissioned Signer Copy Copied | Code | None |
[AIP-104] Account Abstraction Copy Copied | Code | None |
Copied Copied Copied Copied Copied Focus Area
Rewards are calculated based on the severity of the impact that the identified vulnerability would have on Aptos users and the Aptos Network. Aptos Foundation retains sole discretion to determine the severity classification of reported vulnerabilities and the amount of any Reward.
- Medium - up to $10,000
- High - up to $50,000
- Critical - up to $1,000,000
DoS issues which may be fixed without hardfork are accepted as Medium severity issue and will be paid in Medium severity range.
Out of scope and ineligible for reward:
- Test / Build Infrastructure Attacks
- Vulnerabilities based on social engineering
- Network Denial of Service (DoS) attacks are considered out of scope and are not eligible for Rewards under this program
- Any DOS that affects a downstream Consensus Observer node and requires a Validator Node
Vulnerabilities that interest us:
- Loss of Funds (Theft or Minting)
- Consensus / Safety Violations
- Non-recoverable network partition (fix requires hardfork)
- Total Loss of Liveness / Network Availability
- Permanent freezing of funds (fix requires hardfork)
- Remote Code Execution on Validator Node
- Cryptographic Vulnerabilities (with proven impact)
- Validator Node Slowdowns
- API Crash
If you identify a security vulnerability impacting the Aptos Network that does not fall under any of the above categories, we encourage you to report it for further analysis and we will consider a Reward as appropriate. Security issues impacting the Aptos Network having a root cause in external code dependencies are also in-scope for the program.
Program Rules
To be eligible for a Reward, you are required to:
- Play by the rules, including following these Rules and any other relevant agreements. If there is any inconsistency or conflict between these Rules and any other applicable terms, the applicable terms of these Rules will prevail;
- Submit an in-scope vulnerability as detailed above;
- Include detailed information and clear steps to reproduce the issue. Vulnerabilities must be reproducible using the code currently in scope for the Program, based on the current mainnet configuration, and must affect features that are either enabled or are set to be enabled via a governance proposal;
- Avoid any testing on live systems serving mainnet, testnet or devnet; all testing must be done locally;
- Report any vulnerability within 24 hours from discovery;
- Avoid disrupting our systems, destroying data, and/or harming users;
- Only use this platform to report and discuss vulnerability information with us;
- Ensure a reasonable amount of time to resolve the issue;
- Limit the data you access to the minimum required to effectively demonstrate a Proof of Concept in circumstances where a vulnerability provides unintended access to private data or secrets;
- Not engage in extortion.
Duplicate Reports When multiple reporters identify the same issue, they will share a single bounty pot. While the first reporter is given priority, the final distribution of the reward is determined by the value-add of each submission. To maximize your share of the pot, we look for:
- High Report Quality: Clear, concise, and professional documentation.
- Ease of Reproduction: Integration with our existing testing frameworks for immediate verification.
- Actionable Fixes: Provision of clean, well-documented patch files.
Note: Any reports submitted after an issue has been fully triaged and resolved are ineligible for a reward.
Disclosure Guidelines
Do not discuss or disclose any vulnerabilities, even resolved ones, outside of this Program without the Aptos Foundation’s written consent.
Eligibility and Coordinated Disclosure
You ARE NOT eligible to participate in the Program if you are:
- A "Restricted Person" as defined in the Aptos Foundation Terms of Use. To receive a Bounty, you will be required to complete an identity verification process to confirm that you are not a Restricted Person.
- Under the age of 16. If you are at least 16 years old but are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to participating in this Program.
- Currently an employee or provide services to the Aptos Foundation or are a former employee or provided services to the Aptos Foundation within the last 12 months of your submitted security report.
- Employed by an entity that does not allow you to participate in the Program.
To receive a Reward, you will have to enter into an Agreement with Aptos Foundation and provide required information, which may include identity verification information and tax information or forms, such as a W-9 or W-8 for U.S. residents or citizens.
Rewards are managed by Aptos Foundation and are denominated in United States Dollars (USD). Rewards may be paid partially or fully in digital assets at the sole discretion of Aptos Foundation. If you receive digital assets as part of your Reward, the value of the digital assets in USD will be determined at the time you execute your Agreement with Aptos Foundation and after you have satisfied all eligibility criteria. Token-based rewards may be subject to a lock-up period.
Getting Started
Rewards '%3e%3cpath%20d='M3%2021H24V24H0V0H3V21ZM6.75%2019.5C6.44587%2019.5006%206.14477%2019.4396%205.8649%2019.3205C5.58502%2019.2015%205.33219%2019.027%205.12167%2018.8075C4.91115%2018.588%204.74731%2018.3281%204.64006%2018.0435C4.5328%2017.7589%204.48436%2017.4555%204.49766%2017.1517C4.51095%2016.8478%204.58571%2016.5498%204.71741%2016.2757C4.84911%2016.0015%205.03502%2015.7569%205.2639%2015.5567C5.49279%2015.3564%205.7599%2015.2046%206.0491%2015.1105C6.3383%2015.0164%206.64358%2014.9818%206.9465%2015.009L9.3645%2010.9785C9.1434%2010.639%209.0181%2010.246%209.00182%209.84115C8.98554%209.43629%209.07888%209.03455%209.272%208.67835C9.46512%208.32215%209.75084%208.02471%2010.099%207.81743C10.4472%207.61016%2010.8448%207.50074%2011.25%207.50074C11.6552%207.50074%2012.0528%207.61016%2012.401%207.81743C12.7492%208.02471%2013.0349%208.32215%2013.228%208.67835C13.4211%209.03455%2013.5145%209.43629%2013.4982%209.84115C13.4819%2010.246%2013.3566%2010.639%2013.1355%2010.9785L15.5535%2015.009C15.6682%2014.9987%2015.7836%2014.9977%2015.8985%2015.006L19.8915%208.019C19.6046%207.59868%2019.4686%207.0935%2019.5058%206.58594C19.543%206.07837%2019.7511%205.59841%2020.0963%205.22442C20.4415%204.85043%2020.9032%204.60449%2021.4062%204.52678C21.9091%204.44906%2022.4236%204.54415%2022.8655%204.79653C23.3075%205.0489%2023.6508%205.44364%2023.8395%205.91631C24.0281%206.38897%2024.051%206.91163%2023.9043%207.39896C23.7576%207.88628%2023.45%208.30948%2023.0317%208.59945C22.6135%208.88942%2022.1093%209.02903%2021.6015%208.9955L17.6085%2015.9825C17.8379%2016.319%2017.9717%2016.7114%2017.9956%2017.118C18.0195%2017.5245%2017.9326%2017.9299%2017.7442%2018.291C17.5558%2018.652%2017.2729%2018.9552%2016.9258%2019.1681C16.5786%2019.381%2016.1802%2019.4957%2015.7729%2019.4999C15.3657%2019.5041%2014.965%2019.3978%2014.6134%2019.1922C14.2619%2018.9865%2013.9728%2018.6893%2013.7769%2018.3323C13.581%2017.9753%2013.4857%2017.5717%2013.5011%2017.1648C13.5165%2016.7578%2013.6421%2016.3627%2013.8645%2016.0215L11.4465%2011.991C11.3158%2012.0031%2011.1842%2012.0031%2011.0535%2011.991L8.6355%2016.0215C8.85679%2016.3611%208.98226%2016.7541%208.99864%2017.159C9.01503%2017.564%208.92172%2017.9659%208.72858%2018.3222C8.53544%2018.6785%208.24963%2018.9761%207.90137%2019.1834C7.5531%2019.3907%207.1553%2019.5001%206.75%2019.5Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2777_6507'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Stats 
Types'%3e%3cpath%20d='M16%208.10685L12.0364%2013.0212L10.5818%2012.0459L13.7745%208.10685L10.5818%204.16784L12.0364%203.19254L16%208.10685ZM5.69273%204.16784L3.96364%203.19254L0%208.10685L3.96364%2013.0212L5.69273%2012.0459L2.5%208.10685L5.69273%204.16784ZM5.5%2015.1069L7.23091%2015.6069L10.9909%201L9.26%200.5L5.5%2015.1069Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2689_5375'%3e%3crect%20width='16'%20height='16'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Languages
Project types
Hackers (157) View all
