Avalanche Protocol: Program info

• For more information, please check https://docs.avax.network/ .
• Guide on how to create a Local Test Network
• If you have any questions regarding the environment or vulnerabilities, please reach out to [email protected]

In-Scope Vulnerabilities

The list is not limited to the following submissions but it gives an overview of what issues we care about:

• Stealing or loss of funds
• Unauthorized transaction
• Transaction manipulation
• Price manipulation
• Fee payment bypass
• Balance manipulation
• Violation of Avalanche tokenomics
• Violation of the Avalanche consensus protocols (Avalanche and Snowman)
• Privacy violation (below Bitcoin level privacy)
• Cryptographic flaws
• Remote panic over P2P-layer (NOT USING API AND NOT USING DENIAL-OF-SERVICE ATTACK)

Out-of-Scope Vulnerabilities

• Denial-of-Service, OOM, or panic on any API exposed by AvalancheGo
• Network-level Denial-of-Service (TCP/IP/P2P)
• Misconfigurations of AvalancheGo nodes currently running on the Avalanche Network

All rules in the General Program apply. In addition:

• Don't violate the privacy of other users, destroy data, etc.
• Don't defraud or harm Avalanche network or its users during your research; you should make a good faith effort not to interrupt or degrade our services.
• Don't target the validators' physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
• Initially, report the bug only to us and not to anyone else.
• Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
• In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to our users or us. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
• Perform testing on a private testnet whenever possible
• If you discover a potential vulnerability on the production network (mainnet or public testnet), please attempt to validate the finding on a private testnet

Please note: In cases where the size of the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report