This bug bounty program focuses on the Internet Computer Protocol (ICP), core Internet Computer components, and related products. To learn about rewards you could get, see the “Rewards” section. If you’re new to finding security bugs in ICP dapps, read the security best practices.
Target | Type | Severity | Reward |
---|---|---|---|
https://github.com/dfinity/ic Copy The core Internet Computer Protocol stack. | Protocol | Critical | Bounty |
https://github.com/dfinity/ic/tree/master/rs/nns Copy Network Nervous System (NNS) canisters | Code | Critical | Bounty |
https://github.com/dfinity/ic/tree/master/rs/rosetta-api Copy Rosetta API provides applications that third parties (e.g. exchanges) can run to obtain ICP price data. | Code | Critical | Bounty |
https://github.com/dfinity/nns-dapp Copy Front-end and back-end components of the Network Nervous System (NNS) canisters. | Code | Critical | Bounty |
https://nns.ic0.app/ Copy Front-end and back-end components of the Network Nervous System (NNS) canisters. | Code | Critical | Bounty |
https://github.com/dfinity/internet-identity Copy Internet identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication | Code | Critical | Bounty |
https://identity.ic0.app/ Copy Internet identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication | Code | Critical | Bounty |
https://github.com/dfinity/ic/tree/master/rs/sns Copy ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS) | Code | Critical | Bounty |
https://github.com/dfinity/ICRC-1 Copy ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS) | Code | Critical | Bounty |
https://github.com/dfinity/motoko-base Copy Motoko is a safe, simple, actor-based programming language for building Internet Computer (ICP) canister smart contracts. | Code | Critical | Bounty |
https://github.com/dfinity/motoko Copy Motoko is a safe, simple, actor-based programming language for building Internet Computer (ICP) canister smart contracts. | Code | Critical | Bounty |
https://github.com/dfinity/sdk Copy IC software development kit | Code | Critical | Bounty |
https://github.com/dfinity/cdk-rs Copy Rust Canister Development Kit allows rust developers to build ICP canisters in Rust. | Code | Critical | Bounty |
https://github.com/dfinity/agent-js Copy The JavaScript agent allows developers to interact with ICP canisters. | Code | Critical | Bounty |
https://github.com/dfinity/agent-rs Copy The Rust agent allows developers to interact with ICP canisters. | Code | Critical | Bounty |
https://github.com/dfinity/candid Copy Candid is an interface description language (IDL) for interacting with canisters (also known as services or actors) running on the Internet Computer. It provides a language-independent description of canister interfaces and the data they exchange, with type safety and extensibility. | Code | Critical | Bounty |
https://github.com/dfinity/quill Copy Minimalistic ledger and governance toolkit for cold wallets. | Code | Critical | Bounty |
https://github.com/dfinity/icx-proxy Copy A command line tool to serve as a gateway for a Internet Computer replica. | Code | Critical | Bounty |
https://github.com/dfinity/ic/tree/master/rs/boundary_node Copy ICP boundary nodes enables web2 software to interact with ICP canisters. | Code | Critical | Bounty |
boundary.ic0.app Copy ICP boundary nodes enables web2 software to interact with ICP canisters. | Web | Critical | Bounty |
Boundary.dfinity.network Copy ICP boundary nodes enables web2 software to interact with ICP canisters. | Web | Critical | Bounty |
https://github.com/dfinity/exchange-rate-canister Copy The exchange rate canister provides an oracle service for cryptocurrency and fiat currency exchange rates. It interacts with all data sources using the HTTPS outcalls feature. | Code | Critical | Bounty |
https://dashboard.internetcomputer.org/ Copy The internet computer dashboard is a web application that provides visibility into the Internet Computer. It provides metrics and information about governance, network (subnets, data centers, nodes), Chain Fusion, etc. | Web | Critical | Bounty |
https://github.com/dfinity/oisy-wallet Copy Oisy is a new browser-based, network-custodial and multi-chain wallet powered by Internet Computer's chain fusion technology. | Code | Critical | Bounty |
https://github.com/dfinity/chain-fusion-signer Copy The Internet Computer provides an API that allows any canister to hold decentralised public-private key pairs. These keys can be used to sign messages for any system that uses compatible elliptic curves. Popular use cases are signing Bitcoin and Ethereum transactions. However, accessing this API requires developing a backend canister, which may be an unnecessary hurdle. The Chain Fusion Signer makes the Internet Computer threshold signature APIs directly accessible to web apps and to command line users. | Code | Critical | Bounty |
https://github.com/dfinity/orbit Copy Orbit is a non-custodial platform for secure digital asset and smart contract management on the Internet Computer. It enables teams to define approval workflows, enforce governance policies, and manage assets with flexibility and transparency. | Code | Critical | Bounty |
The core Internet Computer Protocol stack.
Network Nervous System (NNS) canisters
Rosetta API provides applications that third parties (e.g. exchanges) can run to obtain ICP price data.
Front-end and back-end components of the Network Nervous System (NNS) canisters.
Front-end and back-end components of the Network Nervous System (NNS) canisters.
Internet identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication
Internet identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication
ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS)
ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS)
Motoko is a safe, simple, actor-based programming language for building Internet Computer (ICP) canister smart contracts.
Motoko is a safe, simple, actor-based programming language for building Internet Computer (ICP) canister smart contracts.
IC software development kit
Rust Canister Development Kit allows rust developers to build ICP canisters in Rust.
The JavaScript agent allows developers to interact with ICP canisters.
The Rust agent allows developers to interact with ICP canisters.
Candid is an interface description language (IDL) for interacting with canisters (also known as services or actors) running on the Internet Computer. It provides a language-independent description of canister interfaces and the data they exchange, with type safety and extensibility.
Minimalistic ledger and governance toolkit for cold wallets.
A command line tool to serve as a gateway for a Internet Computer replica.
ICP boundary nodes enables web2 software to interact with ICP canisters.
ICP boundary nodes enables web2 software to interact with ICP canisters.
ICP boundary nodes enables web2 software to interact with ICP canisters.
The exchange rate canister provides an oracle service for cryptocurrency and fiat currency exchange rates. It interacts with all data sources using the HTTPS outcalls feature.
The internet computer dashboard is a web application that provides visibility into the Internet Computer. It provides metrics and information about governance, network (subnets, data centers, nodes), Chain Fusion, etc.
Oisy is a new browser-based, network-custodial and multi-chain wallet powered by Internet Computer's chain fusion technology.
The Internet Computer provides an API that allows any canister to hold decentralised public-private key pairs. These keys can be used to sign messages for any system that uses compatible elliptic curves. Popular use cases are signing Bitcoin and Ethereum transactions. However, accessing this API requires developing a backend canister, which may be an unnecessary hurdle. The Chain Fusion Signer makes the Internet Computer threshold signature APIs directly accessible to web apps and to command line users.
Orbit is a non-custodial platform for secure digital asset and smart contract management on the Internet Computer. It enables teams to define approval workflows, enforce governance policies, and manage assets with flexibility and transparency.
For a bug to be considered for a bounty, it must be in the scope outlined in this section. If you found a bug that is not explicitly in scope, we encourage you to still submit it. It may still qualify for a bounty depending on DFINITY’s discretion and the attack’s impact.
The Internet Computer Protocol is a distributed protocol run by multiple nodes that constitute the Internet Computer blockchain network. It is structured into layers which are peer-to-peer, consensus, message routing, and execution. See our protocol documentation and specs. In order to get a good overview of the Internet Computer and to get started see our documentation.
All aspects of ICP behavior are governed by the community of enthusiasts and users through a democratic governance system called the Network Nervous System (NNS). A high-level introduction can be obtained from this quick video.
ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS):
The NNS front-end dapp provides a user-friendly way to interact with the Internet Computer’s governance system. It offers features such as logging in using Internet Identity, sending and receiving tokens, staking neurons, and viewing and voting on NNS and SNS proposals. See also the NNS dapp tutorial.
ICP provides ledger implementations for the ICP token according to the ICRC standards:
Rosetta API provides applications that third parties (e.g. exchanges) can run to obtain ICP price data:
These are ICRC compliant tokens that bring other assets, such as BTC or ETH to the ICP ecosystem. See also the Chain Fusion page.
Internet Identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication. Check out the quickstart guide to Internet Identity and the following video.
The documentation for tools and development kits to assist with development in ICP can be found here. Motoko is a custom built, native language for ICP that simplifies the development of smart contract canisters.
Source code & domain:
The node software runs on the virtual machine termed ‘GuestOS’ that in turn runs on ‘HostOS’. In addition to these OSes, the boundary node systems have their own operating system ‘Boundary-guestOS’. Finally, the ‘SetupOS’ is used to install and set up a node.
The HTTP gateways and the API boundary nodes are major ICP infrastructure components. They sit on the perimeter and act as a gateway to the Internet Computer platform. Here is the list of components:
In addition to the boundary nodes there are additional infrastructure assets that support the operations of the Internet Computer. Here is the list of the domains:
We are happy to thank everyone who submits valid reports which help us improve security. However, only those that meet the following eligibility requirements may receive a monetary reward:
All public websites (not explicitly listed in scope) and 3rd party dapps are out of scope for this bug bounty program. You can report issues but we don’t provide rewards.
Network-level DoS and DDoS is out of scope. Network-level misconfigurations or application or platform-level DoS issues (especially crashes) may qualify for a bounty depending on DFINITY’s discretion and the attack’s impact. We ask researchers not to perform DoS attacks on mainnet and production deployments. This will disqualify you from a bounty and from the bug bounty program entirely. Consider using local setups (e.g. using DFX) to demonstrate crashes, or reach out to us and we can support you to reproduce exploits.