Bug bounty program

Copied from: Megathread: Community Submissions for DFINITY Foundation’s Roadmap - #16 by lastmjs

Consider adding a large-scale and ongoing bug bounty program. I believe DFINITY now has a responsible security vulnerability disclosure process, which is one excellent step in the right direction. But I think DFINITY should also allocate a large amount of funds towards rewarding those who responsibly disclose security vulnerabilities. I think this program warrants multiple millions of dollars towards responsible disclosure.

I am not confident the system is secure when it has only been looked over by members of the Foundation, or those close to them (I assume this has been the case, I could be wrong).


I second this, not much else to say. :grinning_face_with_smiling_eyes:


If you want small-scale instead of large-scale there is https://github.com/nomeata/capture-the-ic-token :wink:


Hahaha, I haven’t been able to break that one yet. Super fun

Great feedback! The foundation is moving towards Vulnerability Rewards Program from just being a disclosure program as we speak. The foundation is looking to reward those who come up with significant security findings.


Great news, thank you!

I hope the rewards will be competitive to attract the best hackers and security researchers from inside and outside of crypto.


I want to update you all that I have escalated this. I know the security team has plans on this, but I want to see how much I can share (they are, by nature, a friendly but secretive bunch :wink: )


#ICP Dapp Vulnerability Reporting

Ref: ISO/IEC 29147:2018


The #ICP Dapp ecosystem also needs a conduit for #ICP Dapp vulnerability reporting and disposition. Most Dapp builders are very small compared to major tech vendors and are unlikely to have an established vulnerability disclosure process.


  • As Dapps are deployed on the #ICP, vulnerabilities will be identified and there is a need to ensure quick and easy identification and communication.
  • It is difficult to figure out to whom a vulnerability should be reported while ensuring confidentiality and consistent processes.
  • Dapp developers are unlikely to register with their Common Vulnerability Exposure national authorities.

Approach :

Facilitation of the vulnerability process governed by a Vulnerability DAO (VulDAO) that would:

  • act as the CVE Numbering Authority (CNAs) for any apps registered with the DAO.
  • Maintain a register containing the name of the Dapp, the reporting contact, the disclosure policy, vulnerability reports, and their disposition.
  • register the DAO as the reporting mechanism with the CVE manager (There is no monetary fee for CVE CNA registration and no contract to sign).
  • establish a public vulnerability disclosure policy and seek ratification.
  • host a public web site ( VulDapp ) on the #ICP for new vulnerability disclosures.
  • ensure members agree to the CVE terms of use of the CVE manager.

Sample Disclosure Policy


We strongly encourage you to report potential security vulnerabilities using the VulDapp, before disclosing them in a public forum.

The VulDapp will maintain the list of security contacts for each registered Dapp.

Only use the VulDapp contact mechanism to report undisclosed security vulnerabilities for registered #ICP Dapps to facilitate the process of fixing such vulnerabilities. The VulDapp cannot accept regular bug reports or other security-related queries through this contact mechanism. Recipients will ignore communication sent to these contacts that does not relate to an undisclosed security problem in a #ICP Dapp registered with the #ICPVul Dapp.

Please send one plain-text message for each vulnerability you are reporting using the VulDapp . Rich content (diagrams, video, PDF, etc.) will not be accepted.

Please do not encrypt submissions.


You can usually find information on known vulnerabilities for an registered Dapp on the Vuldapp web page. For convenience, consult the list for VulDAO listed projects. Do not ask:

  • how to use the registered Dapp securely
  • whether a published vulnerability applies to specific versions of the canister you are using
  • whether a published vulnerability applies to the configuration of the canister you are using
  • about obtaining further information on a published vulnerability
  • about the availability of patches and/or new releases to address a published vulnerability

The relevant Dapp would have a forum to ask such questions on their discord, telegram, twitter, etc. The registered Dapp team will ignore any such questions you send directly to them.


An overview of the vulnerability handling process is:

  • The reporter reports the vulnerability privately using the VulDapp website
  • The appropriate Dapp security team works privately with the reporter to resolve the vulnerability.
  • The project creates a new release of the Dapp to deliver its fix.
  • The project publicly announces the vulnerability and describes how the fix has been applied or how to apply the fix as appropriate.
1 Like

@diegop Is there an update on an ongoing bug bounty program? I know this exists: https://dfinity.org/vulnerability-disclosure-program/ but there is no information on reward amounts if I’m not mistaken.


Hi lastmjs, We have been providing bounties the past few months even though it has not been explicitly mentioned on the program website. There is a quite of work that is going on currently and you should see the updates in the next few weeks. I will keep you posted.