29804 policies in database
Link to program      
Celo logo



A strong platform requires a robust community working together to find security vulnerabilities in order to keep the network safe.

Response Targets

The following represent best efforts response targets for hackers participating in this program:

  • Time to first response (from report submit) - 2 business days

  • Time to triage (from report submit) - 20 business days

  • Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Reports out of scope will not be considered. Please check before submitting.

  • Note that Celo is an open source project.

  • Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

  • Attacking any testnet other than the official Celo Baklava testnet (“Network”) is prohibited.

  • Any attacks that could cause physical damage or incur costs to other’s property is prohibited.

  • Any attacks against Network nodes that violate [Amazon Web Services Acceptable Use Policy] (https://aws.amazon.com/aup/) and Google Cloud Platform's Acceptable Use Policy and other specific services you use is prohibited.

  • Follow the Celo Community Code of Conduct.

  • Participation is subject to the Baklava testnet Terms & Conditions.

Test Plan

Out of scope vulnerabilities and assets

  • Previously known vulnerabilities (resolved or not) on the [Ethereum] (https://github.com/ethereum) and [Quorum] (https://github.com/jpmorganchase/quorum) networks (and any other fork of these).

  • Missing best practices in SSL/TLS configuration.

  • Attacks requiring physical access to a user's device.

  • Previously known vulnerable of standard libraries used.

  • Vulnerabilities only affecting users of outdated Celo clients or unpatched operating systems (less than 1 stable versions behind the latest released stable version).

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month.

  • Issues that require unlikely user interaction.

  • Examples and tests in the code, this includes mock (i.e. not real) values.

  • Clickjacking

  • learn.clabs.co

Out of Scope Domains

  • learn.celo.org

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep the network safe!

In Scope

Scope Type Scope Name

Celo Protocol & Smart Contracts

















Out of Scope

Scope Type Scope Name


This program crawled on the 2020-02-04 is sorted as bounty.

FireBounty © 2015-2022

Legal notices | Privacy