Cosmos Bug Bounty Program

About the Cosmos Bug Bounty

The Cosmos ecosystem teams include the Cosmos SDK, Gaia, IBC, Tendermint Core, and IBC Relayers. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols.

Our program exists to actively reward the people who discover bugs in our protocol and the products we are building.

Recent changes to the code include a transition from an in-house serialization system to Protobuf, major new Tendermint Core features like state sync and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These are high priority for the security community to review.

Bounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.

• Critical— $5,000 and up

• High— $3,000 and up

• Medium— $1000 and up

• Low— up to $200

While there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.

If we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated.

Program Scope

Please see the “Scope” tab for a list of assets which are included in the scope of our bug bounty program.

More Details

To qualify for a bounty, bugs must be:

• Valid on the master/main branch (or, under certain circumstances, on the latest release branch) of the corresponding repository.

• Valid for 64-bit machines with at least 2 GB RAM.

• Valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.

We’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.

Examples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the application- or protocol-layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.

Please see here for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with Cosmos-SDK, start here to learn more about getting it up and running in your testing environment.

All other associated websites, services, and sub-domains are out of scope, including:

• https://tendermint.com

• https://cosmos.network

• Cloud services, including AWS S3 buckets

Though bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services.

Scanner-generated reports and "Advisory" or “Informational” reports that do not include any Tendermint or Cosmos specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors.

Security Guidelines

See our Security Policy Document for more details on submissions and rewards.