Flow is a decentralized platform that anyone can access, everyone can trust, and no-one can censor or block. Flow is the future.
Target | Type | Severity | Reward |
---|---|---|---|
https://www.flow.com Copy | Web | Critical | Bounty |
*.flow.com Copy | Web | Critical | Bounty |
*.onflow.org Copy | Web | Critical | Bounty |
The following defines the rewards for Flow protocol and cadence:
Severity: Critical Reward: $100,000 USD Criteria:
Severity: High Reward: $50,000 USD Criteria:
Severity: Medium Reward: $10,000 USD Criteria:
Severity: Low Reward: $1000 USD Criteria:
To qualify for a reward, the vulnerability must fall within our Assets In Scope, comply with our Responsible Disclosure Guidelines, and meet the following criteria:
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
Flow was built from the ground up with security in mind. Our code, infrastructure, and development methodology help us keep our users safe.
We appreciate and encourage the security researcher community to report potential vulnerabilities in our assets.If you identify a vulnerability, please notify us using the following guidelines. Things To Do:
Things Not To Do:
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
Flow ecosystem is working on progressively decentralizing the network by hardening the protocol level security and introducing permissionless nodes. For this reason, Flow still relies on protocol-compliant nodes and bounties are limited to permissionless node types. Only attacks originating from Access and observer nodes will qualify.
Protocol-level vulnerabilities which are only exploitable through the control of Collection, Consensus, Execution or Verification nodes are excluded.
The following web application vulnerabilities are excluded from this program: