Internet Computer Protocol (ICP): Program info

For a bug to be considered for a bounty, it must be in the scope outlined in this section. If you found a bug that is not explicitly in scope, we encourage you to still submit it. It may still qualify for a bounty depending on DFINITY’s discretion and the attack’s impact.

Core Internet Computer Protocol Stack

The Internet Computer Protocol is a distributed protocol run by multiple nodes that constitute the Internet Computer blockchain network. It is structured into layers which are peer-to-peer, consensus, message routing, and execution. See our protocol documentation and specs. In order to get a good overview of the Internet Computer and to get started see our documentation.

• The Internet Computer Protocol (ICP) GitHub Repository
• Some important components are the following, but protocol implementation spans across additional crates:
  • execution, system_api, canister_sandbox and embedders
  • consensus and orchestrator
  • message routing and xnet
  • state_manager
  • p2p and http_endpoints
  • http_outcalls
  • crypto

Governance: Network Nervous System and Service Nervous System

Network Nervous System (NNS)

All aspects of ICP behavior are governed by the community of enthusiasts and users through a democratic governance system called the Network Nervous System (NNS).

• Network Nervous System (NNS) on GitHub
• Registry on GitHub

Service Nervous System (SNS)

ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS).

• Service Nervous System (SNS) on GitHub
• Core canisters include SNS Root, SNS-W, SNS Governance, SNS Swap

Frontend applications

The NNS front-end dapp provides a user-friendly way to interact with ICP governance.

• Network Nervous System dapp on GitHub
• Domain: https://dashboard.hackenproof.com/redirect?url=https://dashboard.hackenproof.com/redirect?url=https://nns.ic0.app/

Financial Integrations

ICP provides ledger implementations for the ICP token according to the ICRC standards:

• Ledgers on GitHub

Rosetta API:

• Rosetta API on GitHub

Chain Fusion and Cross-Chain Applications

Chain-Key (ck) Tokens

See Chain Fusion page.

• Bitcoin:
  • Bitcoin integration
  • ckBTC on GitHub
• Ethereum:
  • ckETH and ckERC20 on GitHub
  • EVM RPC canister

Internet Identity

Internet Identity

• Internet Identity on GitHub
• Domain: https://dashboard.hackenproof.com/redirect?url=https://identity.ic0.app/

Developer Experience and Tooling: SDK, CDK, Motoko

Docs: Developer liftoff guide

• Motoko, Motoko base library
• IC SDK
• Rust CDK
• JavaScript Agent
• Rust Agent
• Candid IDL
• Cycles Ledger
• Quill toolkit

Internet Computer Infrastructure

Node Operating Systems

• Operating Systems on GitHub

Edge Infrastructure: HTTP Gateway and API Boundary Nodes

• HTTP gateway on GitHub
• Boundary nodes on GitHub
• Domains: boundary.ic0.app, boundary.dfinity.network

Other infrastructure

• dfinity.network
• dfinity.systems

• Do not use off the shelf dynamic scanners such as DAST tools on production systems.
• Make every effort not to damage or restrict the availability of products, services, and infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities or social engineering attacks
• Don’t break any law

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.
• Act responsibly and in good faith during the disclosure process.

We are happy to thank everyone who submits valid reports which help us improve security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• Abide by the program rules and disclosure guidelines
• Ensure that the potential security bug you are reporting is in scope as specified in the Scope & Targets section below.
• Any vulnerability found must be reported as soon as possible after discovery and ideally through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
• While AI-assisted tools can be very helpful and are encouraged to discover relevant bugs, their use in identifying vulnerabilities or preparing reports must be clearly disclosed. Keep reports brief, clear, and focused and avoid excessively long or repetitive AI-generated submissions. To ensure accuracy and quality, all participants are expected to personally verify any findings produced with the help of AI tools before submitting them. Any reports not meeting these standards may be rejected.
• You must not be a current employee of DFINITY or one of its contractors.
• Only use the email address under which you registered your HackenProof account.
• Do not engage in social engineering techniques or spear-phishing campaigns. Do not cause any harm to the data or the system.
• Duplicate reports and closely related submissions will be dealt with on a case-by-case basis. If the submissions are determined to be genuine they may be rewarded based on a lower rewards scale.
• In case that your finding is valid you might be asked for extra KYC verification to proceed with payments