Alephium places utmost importance on the security of its network and infrastructure. Thus, we present to you the formal Alephium Bug Bounty Reward Program designed to encourage responsible bug exposure. Rewards will be distributed considering the bug's gravity that has been reported.
This Program encompasses bugs and vulnerabilities across the entire operational Alephium environment. This scope extends to the GitHub repositories mentioned below:
- Alephium
- Frontend
- Extension Wallet
- Bridge
- Ledger Integration
- DEX Proof of Concept
- NFT Marketplace Proof of Concept
- Web3 SDK
- Explorer Backend
- Website
Nonetheless, if a bug in any Alephium-related repository is discovered, even if it doesn't fall within the ones listed, that puts users’ funds at risk, the team will contemplate the issue as part of the bounty's scope.
Exclusions from the Program's coverage include:
- Third-party contracts outside Alephium's direct control
- Bugs in third-party contracts or apps utilizing Alephium code
Rewards will be offered based on the risk level and the probability of the bug being activated or exploited, as determined solely by Alephium.
All found vulnerabilities or bugs must be exclusively reported to this email: bugbounty@alephium.org. An acknowledgment of the report will be issued within 2 business days by Alephium.
Public disclosure of the vulnerability, or disclosure to any other individual, entity, or email address is prohibited before Alephium has been alerted, resolved the issue, and authorized public disclosure. Additionally, the vulnerability must be reported within 24 hours of its discovery.
A comprehensive report on a vulnerability increases the chances of a reward and may boost the reward sum. Please supply as much information as possible about the vulnerability, including:
- The conditions that the bug reproduction depends on.
- Steps required to reproduce the bug or, ideally, a proof of concept.
- The potential repercussions of the vulnerability's exploitation.
- Any individual who reports a unique, previously unreported vulnerability that leads to a code alteration or configuration change, and maintains its confidentiality until its resolution by our engineers, may opt for public recognition for their contribution.
To qualify for a reward under this Program, you must:
- Comply with the Program Rules and meet its eligibility requirements.
- Identify a previously unreported, non-public vulnerability that the team isn't aware of and is within the Program's scope.
- Be the first to report the unique vulnerability to bugbounty@alephium.org, adhering to the reporting requirements.
- Provide enough information to help the core contributors understand, reproduce, and rectify the vulnerability.
- Not exploit the vulnerability in any manner, including making it public or obtaining profit (beyond this Program's reward).
- Refrain from publicizing the vulnerability in any form other than confidential reporting to us.
- Make a sincere attempt to prevent privacy infringements, data destruction, or disturbance of any in-scope assets.
- Not report a vulnerability rooted in the same issue that has already been rewarded under this Program.
- Not indulge in any illegal behavior while disclosing the bug to bugbounty@alephium.org, such as threats, demands, or any coercive tactics.
By submitting your report, you concede to Alephium any and all rights, including intellectual property rights, required to verify, alleviate, and disclose the vulnerability. We retain absolute discretion regarding all reward decisions, including eligibility for and amounts of rewards, and the payment method.
The terms and conditions of this Program can be modified at any time.