5640 policies in database
Link to program      
Blockstack logo


25 $ 



Blockstack is building a new decentralized internet where users own their data and apps run without remote servers.

We're rethinking DNS, identity, authentication, and application infrastructure and working to make the internet a better place.

That said, we can't get there without the dedicated work of skilled security researchers like yourself.

We want your help and together we can make the internet safer and more free.

If you've found a bug in our products or supporting libraries, please notify us and we'll work with you to resolve this issue as soon as possible.

Thanks for being a part of the Blockstack community.


Severity | Reward
Very low severity bugs | $25+
Low severity bugs | $50+
Medium severity bugs | $150+
High severity bugs | $300+
Critical severity bugs | $600+

In general, we strive to reward a bounty after triage.


Main projects:

  • Blockstack Core - theblockstack_registrar folder is deprecated code and is out of review scope.

  • Blockstack Browser - the Blockstack browser uses a client-side authentication scheme, this means that user sessions are not related across multiple devices, and"signing out" of one device will not affect others. Reports related to this behavior will not be accepted.

Supporting Python libraries:

Supporting JavaScript libraries:

The main Blockstack website:

Out of Scope

  • Blockstack Community Rewards Program
  • Other website subdomains of blockstack.org (e.g., vote.blockstack.org)
  • Error pages of Blockstack websites which may reflect the page not-found (i.e., "404 responses").
  • Issues related to arbitrary data uploads in the Gaia protocol. This protocol is a decentralized and user-controlled file storage protocol. It allows arbitrary file uploads by design.
  • Issues already filed in public Github issues. We may move an issue from HackerOne over to our public Github repositories, and in doing so, mark the HackerOne issue resolved so that we can disclose it. However, as long as the issue remains open on Github, we will not accept new reports for that same issue.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.


While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Blockstack staff or contractors
  • Any physical attempts against Blockstack property or data centers

Thank you for helping keep Blockstack and our users safe!

The public program Blockstack on the platform Hackerone has been updated on 2019-12-10, The lowest reward is 25 $.

FireBounty © 2015-2020

Legal notices