Bug bounty
Triaged by Hackenproof

Internet Computer Protocol : Program info

Internet Computer Protocol

Company: DFINITY
KYC required
This program is active now
Program infoHackers (22)Reports

This bug bounty program focuses on the Internet Computer Protocol (ICP), core Internet Computer components, and related products. To learn about rewards you could get, see the “Rewards” section. If you’re new to finding security bugs in ICP dapps, read the security best practices.

In scope
TargetTypeSeverityReward
https://github.com/dfinity/ic
copy
Copy
success Copied

The core Internet Computer Protocol stack.

Protocol
Critical
Bounty
https://github.com/dfinity/ic/tree/master/rs/nns
copy
Copy
success Copied

Network Nervous System (NNS) canisters

Code
Critical
Bounty
https://github.com/dfinity/ic/tree/master/rs/rosetta-api
copy
Copy
success Copied

Rosetta API provides applications that third parties (e.g. exchanges) can run to obtain ICP price data.

Code
Critical
Bounty
https://github.com/dfinity/nns-dapp
copy
Copy
success Copied

Front-end and back-end components of the Network Nervous System (NNS) canisters.

Code
Critical
Bounty
https://nns.ic0.app/
copy
Copy
success Copied

Front-end and back-end components of the Network Nervous System (NNS) canisters.

Code
Critical
Bounty
https://github.com/dfinity/internet-identity
copy
Copy
success Copied

Internet identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication

Code
Critical
Bounty
https://identity.ic0.app/
copy
Copy
success Copied

Internet identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication

Code
Critical
Bounty
https://github.com/dfinity/ic/tree/master/rs/sns
copy
Copy
success Copied

ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS)

Code
Critical
Bounty
https://github.com/dfinity/ICRC-1
copy
Copy
success Copied

ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS)

Code
Critical
Bounty
https://github.com/dfinity/motoko-base
copy
Copy
success Copied

Motoko is a safe, simple, actor-based programming language for building Internet Computer (ICP) canister smart contracts.

Code
Critical
Bounty
https://github.com/dfinity/motoko
copy
Copy
success Copied

Motoko is a safe, simple, actor-based programming language for building Internet Computer (ICP) canister smart contracts.

Code
Critical
Bounty
https://github.com/dfinity/sdk
copy
Copy
success Copied

IC software development kit

Code
Critical
Bounty
https://github.com/dfinity/cdk-rs
copy
Copy
success Copied

Rust Canister Development Kit allows rust developers to build ICP canisters in Rust.

Code
Critical
Bounty
https://github.com/dfinity/agent-js
copy
Copy
success Copied

The JavaScript agent allows developers to interact with ICP canisters.

Code
Critical
Bounty
https://github.com/dfinity/agent-rs
copy
Copy
success Copied

The Rust agent allows developers to interact with ICP canisters.

Code
Critical
Bounty
https://github.com/dfinity/candid
copy
Copy
success Copied

Candid is an interface description language (IDL) for interacting with canisters (also known as services or actors) running on the Internet Computer. It provides a language-independent description of canister interfaces and the data they exchange, with type safety and extensibility.

Code
Critical
Bounty
https://github.com/dfinity/quill
copy
Copy
success Copied

Minimalistic ledger and governance toolkit for cold wallets.

Code
Critical
Bounty
https://github.com/dfinity/icx-proxy
copy
Copy
success Copied

A command line tool to serve as a gateway for a Internet Computer replica.

Code
Critical
Bounty
https://github.com/dfinity/ic/tree/master/rs/boundary_node
copy
Copy
success Copied

ICP boundary nodes enables web2 software to interact with ICP canisters.

Code
Critical
Bounty
boundary.ic0.app
copy
Copy
success Copied

ICP boundary nodes enables web2 software to interact with ICP canisters.

Web
Critical
Bounty
Boundary.dfinity.network
copy
Copy
success Copied

ICP boundary nodes enables web2 software to interact with ICP canisters.

Web
Critical
Bounty
https://github.com/dfinity/exchange-rate-canister
copy
Copy
success Copied

The exchange rate canister provides an oracle service for cryptocurrency and fiat currency exchange rates. It interacts with all data sources using the HTTPS outcalls feature.

Code
Critical
Bounty
https://dashboard.internetcomputer.org/
copy
Copy
success Copied

The internet computer dashboard is a web application that provides visibility into the Internet Computer. It provides metrics and information about governance, network (subnets, data centers, nodes), Chain Fusion, etc.

Web
Critical
Bounty
https://github.com/dfinity/oisy-wallet
copy
Copy
success Copied

Oisy is a new browser-based, network-custodial and multi-chain wallet powered by Internet Computer's chain fusion technology.

Code
Critical
Bounty
https://github.com/dfinity/chain-fusion-signer
copy
Copy
success Copied

The Internet Computer provides an API that allows any canister to hold decentralised public-private key pairs. These keys can be used to sign messages for any system that uses compatible elliptic curves. Popular use cases are signing Bitcoin and Ethereum transactions. However, accessing this API requires developing a backend canister, which may be an unnecessary hurdle. The Chain Fusion Signer makes the Internet Computer threshold signature APIs directly accessible to web apps and to command line users.

Code
Critical
Bounty
https://github.com/dfinity/orbit
copy
Copy
success Copied

Orbit is a non-custodial platform for secure digital asset and smart contract management on the Internet Computer. It enables teams to define approval workflows, enforce governance policies, and manage assets with flexibility and transparency.

Code
Critical
Bounty
Target
https://github.com/dfinity/ic
copy
Copy
success Copied

The core Internet Computer Protocol stack.

TypeProtocol
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/ic/tree/master/rs/nns
copy
Copy
success Copied

Network Nervous System (NNS) canisters

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/ic/tree/master/rs/rosetta-api
copy
Copy
success Copied

Rosetta API provides applications that third parties (e.g. exchanges) can run to obtain ICP price data.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/nns-dapp
copy
Copy
success Copied

Front-end and back-end components of the Network Nervous System (NNS) canisters.

TypeCode
Severity
Critical
RewardBounty
Target
https://nns.ic0.app/
copy
Copy
success Copied

Front-end and back-end components of the Network Nervous System (NNS) canisters.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/internet-identity
copy
Copy
success Copied

Internet identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication

TypeCode
Severity
Critical
RewardBounty
Target
https://identity.ic0.app/
copy
Copy
success Copied

Internet identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/ic/tree/master/rs/sns
copy
Copy
success Copied

ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS)

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/ICRC-1
copy
Copy
success Copied

ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS)

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/motoko-base
copy
Copy
success Copied

Motoko is a safe, simple, actor-based programming language for building Internet Computer (ICP) canister smart contracts.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/motoko
copy
Copy
success Copied

Motoko is a safe, simple, actor-based programming language for building Internet Computer (ICP) canister smart contracts.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/sdk
copy
Copy
success Copied

IC software development kit

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/cdk-rs
copy
Copy
success Copied

Rust Canister Development Kit allows rust developers to build ICP canisters in Rust.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/agent-js
copy
Copy
success Copied

The JavaScript agent allows developers to interact with ICP canisters.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/agent-rs
copy
Copy
success Copied

The Rust agent allows developers to interact with ICP canisters.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/candid
copy
Copy
success Copied

Candid is an interface description language (IDL) for interacting with canisters (also known as services or actors) running on the Internet Computer. It provides a language-independent description of canister interfaces and the data they exchange, with type safety and extensibility.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/quill
copy
Copy
success Copied

Minimalistic ledger and governance toolkit for cold wallets.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/icx-proxy
copy
Copy
success Copied

A command line tool to serve as a gateway for a Internet Computer replica.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/ic/tree/master/rs/boundary_node
copy
Copy
success Copied

ICP boundary nodes enables web2 software to interact with ICP canisters.

TypeCode
Severity
Critical
RewardBounty
Target
boundary.ic0.app
copy
Copy
success Copied

ICP boundary nodes enables web2 software to interact with ICP canisters.

TypeWeb
Severity
Critical
RewardBounty
Target
Boundary.dfinity.network
copy
Copy
success Copied

ICP boundary nodes enables web2 software to interact with ICP canisters.

TypeWeb
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/exchange-rate-canister
copy
Copy
success Copied

The exchange rate canister provides an oracle service for cryptocurrency and fiat currency exchange rates. It interacts with all data sources using the HTTPS outcalls feature.

TypeCode
Severity
Critical
RewardBounty
Target
https://dashboard.internetcomputer.org/
copy
Copy
success Copied

The internet computer dashboard is a web application that provides visibility into the Internet Computer. It provides metrics and information about governance, network (subnets, data centers, nodes), Chain Fusion, etc.

TypeWeb
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/oisy-wallet
copy
Copy
success Copied

Oisy is a new browser-based, network-custodial and multi-chain wallet powered by Internet Computer's chain fusion technology.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/chain-fusion-signer
copy
Copy
success Copied

The Internet Computer provides an API that allows any canister to hold decentralised public-private key pairs. These keys can be used to sign messages for any system that uses compatible elliptic curves. Popular use cases are signing Bitcoin and Ethereum transactions. However, accessing this API requires developing a backend canister, which may be an unnecessary hurdle. The Chain Fusion Signer makes the Internet Computer threshold signature APIs directly accessible to web apps and to command line users.

TypeCode
Severity
Critical
RewardBounty
Target
https://github.com/dfinity/orbit
copy
Copy
success Copied

Orbit is a non-custodial platform for secure digital asset and smart contract management on the Internet Computer. It enables teams to define approval workflows, enforce governance policies, and manage assets with flexibility and transparency.

TypeCode
Severity
Critical
RewardBounty

Focus Area

For a bug to be considered for a bounty, it must be in the scope outlined in this section. If you found a bug that is not explicitly in scope, we encourage you to still submit it. It may still qualify for a bounty depending on DFINITY’s discretion and the attack’s impact.

Core Internet Computer Protocol Stack

The Internet Computer Protocol is a distributed protocol run by multiple nodes that constitute the Internet Computer blockchain network. It is structured into layers which are peer-to-peer, consensus, message routing, and execution. See our protocol documentation and specs. In order to get a good overview of the Internet Computer and to get started see our documentation.

Governance: Network Nervous System and Service Nervous System

Network Nervous System (NNS)

All aspects of ICP behavior are governed by the community of enthusiasts and users through a democratic governance system called the Network Nervous System (NNS). A high-level introduction can be obtained from this quick video.

Service Nervous System (SNS)

ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS):

Frontend applications

The NNS front-end dapp provides a user-friendly way to interact with the Internet Computer’s governance system. It offers features such as logging in using Internet Identity, sending and receiving tokens, staking neurons, and viewing and voting on NNS and SNS proposals. See also the NNS dapp tutorial.

Financial Integrations

ICP provides ledger implementations for the ICP token according to the ICRC standards:

Rosetta API provides applications that third parties (e.g. exchanges) can run to obtain ICP price data:

Chain Fusion and Cross-Chain Applications

Chain-Key (ck) Tokens

These are ICRC compliant tokens that bring other assets, such as BTC or ETH to the ICP ecosystem. See also the Chain Fusion page.

Internet Identity: Self-Sovereign Single Sign-on Solution

Internet Identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication. Check out the quickstart guide to Internet Identity and the following video.

Developer Experience and Tooling: SDK, CDK, Motoko

The documentation for tools and development kits to assist with development in ICP can be found here. Motoko is a custom built, native language for ICP that simplifies the development of smart contract canisters.

Source code & domain:

Internet Computer Infrastructure

Node Operating Systems

The node software runs on the virtual machine termed ‘GuestOS’ that in turn runs on ‘HostOS’. In addition to these OSes, the boundary node systems have their own operating system ‘Boundary-guestOS’. Finally, the ‘SetupOS’ is used to install and set up a node.

Edge Infrastructure: HTTP Gateway and API Boundary Nodes

The HTTP gateways and the API boundary nodes are major ICP infrastructure components. They sit on the perimeter and act as a gateway to the Internet Computer platform. Here is the list of components:

Other infrastructure

In addition to the boundary nodes there are additional infrastructure assets that support the operations of the Internet Computer. Here is the list of the domains:

  • dfinity.network
  • dfinity.systems

Program Rules

  • Do not use off the shelf dynamic scanners such as DAST tools on production systems.
  • Make every effort not to damage or restrict the availability of products, services, and infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities or social engineering attacks
  • Don’t break any law

Disclosure Guidelines

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.
  • Act responsibly and in good faith during the disclosure process.

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • Abide by the program rules and disclosure guidelines
  • Ensure that the potential security bug you are reporting is in scope as specified in the Scope & Targets section below.
  • Any vulnerability found must be reported as soon as possible after discovery and ideally through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
  • You must not be a current employee of DFINITY or one of its contractors.
  • Only use the email address under which you registered your HackenProof account.
  • Do not engage in social engineering techniques or spear-phishing campaigns. Do not cause any harm to the data or the system.
  • Duplicate reports and closely related submissions will be dealt with on a case-by-case basis. If the submissions are determined to be genuine they may be rewarded based on a lower rewards scale.
  • In case that your finding is valid you might be asked for extra KYC verification to proceed with payments

Safe Harbor

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith;
  • You are expected, as always, to comply with all applicable laws.

Out of scope

All public websites (not explicitly listed in scope) and 3rd party dapps are out of scope for this bug bounty program. You can report issues but we don’t provide rewards.

Network-level DoS and DDoS is out of scope. Network-level misconfigurations or application or platform-level DoS issues (especially crashes) may qualify for a bounty depending on DFINITY’s discretion and the attack’s impact. We ask researchers not to perform DoS attacks on mainnet and production deployments. This will disqualify you from a bounty and from the bug bounty program entirely. Consider using local setups (e.g. using DFX) to demonstrate crashes, or reach out to us and we can support you to reproduce exploits.

Rewards
Range of bounty$500 - $50,000
Severity
Critical
$25,000 - $50,000
High
$10,000 - $25,000
Medium
$2,000 - $10,000
Low
$500 - $2,000
Stats
Scope Review4903
Submissions41
Total rewards$13,200
Types
blockchain
Languages
Rust
Project types
Other
L1
Hackers (22) View all
Rootx
1
Zakaria eddafry
2
Aviv Keller
3
Codermak
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time5d
Reward Time5d
Resolution Time14d