Mysten Labs welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets within the scope laid out below, we want to hear from you. All reports should be submitted with a valid proof of concept (PoC) and detailed steps for replication to be considered valid. Please test out attacks on Testnet to evaluate if there can be state changes to objects.
Target | Type | Severity | Reward |
---|---|---|---|
https://chromewebstore.google.com/detail/sui-wallet/opcgpfmipidbgpenhmajoajpbobppdil?hl=en Additionally, we consider infrastructure build around wallet (github, etc.) Other resources connected to Mysten Labs maybe considered on the severity basics. | Other | Critical | Bounty |
https://github.com/MystenLabs/sui/tree/main/apps/wallet | Code | Critical | Bounty |
Additionally, we consider infrastructure build around wallet (github, etc.) Other resources connected to Mysten Labs maybe considered on the severity basics.
If you find a security vulnerability, please submit it to us privately before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.
If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.
Researchers must not exploit any vulnerability to access, modify, harm, or leak data that does not belong to them.
Testing should not compromise the privacy of any individual or entity.
Our rewards for wallets and websites are based on severity per the Common Vulnerability Scoring Standard. Please note that these are general guidelines, and reward decisions are subject to the discretion of Mysten Labs.
Mysten Labs may change or modify the amounts or types of rewards and may remove or reallocate any rewards earned by any participant or elect not to provide any rewards to any participant for any reason.
Distribution of rewards will follow reward determinations made by Mysten Labs, and will be subject to successful completion of KYC process (details below). Payments will be denominated in SUI. U.S. persons will receive rewards denominated in USD.
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
Upon validating a reported bug, we will notify you about the reward amount. Payouts will be processed following our KYC procedures. Please note that all researchers eligible for a reward will be required to go through KYC process.
The KYC process is necessary to prevent fraudulent activities and comply with international regulations. We ensure that all personal information collected during this process will be stored securely and used solely for the purpose of the KYC process.
During the KYC process, you may be asked to provide the following:
Failure to successfully pass the KYC process will result in the withholding of the bounty payout. We appreciate your understanding and cooperation in this matter
When conducting vulnerability research, we consider research conducted solely under this program to be:
You are expected, as always, to comply with all applicable laws.
Note that this section applies only to legal claims brought by Mysten Labs, and that this section does not bind independent third parties or law enforcement authorities.