RSK has created this bug bounty program to reward security researchers that
dedicate time and effort to improve the RSK platform.
RSK will make a best effort to meet the following SLAs for hackers
participating in our program:
- Time to first response (from report submit) - 2 business days
- Time to triage (from report submit) - 2 business days
- Time to bounty (from triage) - 10 business days
We’ll try to keep you informed about our progress throughout the process.
- Follow HackerOne's disclosure guidelines __.
- Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or ETC) but reports to RSK with considerable delay, then RSK may reduce or cancel the bounty.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- The submitter must be the person who has discovered the vulnerability. Vulnerability submission cannot be delegated.
- The submitter grants RSK the right to use parts or all the submitted report for communicating the vulnerability to the public.
- Only test on nodes that you own. Avoid testing that could be damaging to RSK infrastructure or other users.
- RSK development team, employees and all other people paid by RSK , directly or indirectly, are not eligible for rewards.
- A person who submitted a change in the RSK codebase is not eligible for rewards for vulnerabilities originating or triggered by the submitted change.
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring
Standard). Please note these are general guidelines, and that reward decisions
are up to the discretion of RSK.
Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 -
$10,000 | $4,000 | $2,000 | $1,000
Vulnerabilities which result in remote code execution will be awarded a bonus,
with a total award up to $20,000.
Our bug bounty program spans end-to-end: from soundness of protocols (such as
the blockchain consensus model, the wire and p2p protocols, proof of work,
etc.) and protocol implementation. Classical client security as well as
security of cryptographic primitives are also part of the program. Most JSON
RPC methods and CSRF attacks against them are in scope.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope :
- Findings related to the encryption or access control of the integrated wallet.
- Attacks requirng physical access or local user level access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Denial of our service (DoS) not directly related to a flaw in the RSK code or environment.
- JSON RPC
personal module and the filter API including
Thank you for helping keep RSK's platform and users safe!
Hall of Fame