The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.

Responsible Disclosure

Our development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.

Rewards

We are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.

The Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the OWASP risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:

• Critical: up to 25 000 points

• High: up to 15 000 points

• Medium: up to 10 000 points

• Low: up to 2 000 points

• Note: up to 500 points

1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.

Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

Eligibility

Generally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

• Implementation bugs that can lead to financial loss

• Access to our production servers

• Remote Code Execution

• Protocol bugs

• Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).

The following reports are reported very often and will be marked as Not Applicable:

• SPF/DMARC records.

• CORS headers on endpoints meant to be accessible from other domains.

• Issues with other services we use Mailgun/Segment/etc.

• Logout CSRF.

• Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.

• Readable AWS S3 buckets with Stellar ledger history - this is public.

• Wordpress admins usernames disclosure.

In general, the following would not meet the threshold for severity (and can be marked Not Applicable):

• Version disclosure.

• Lack of security headers.

• Cookies without secure flag.

• Recently disclosed 0-day vulnerabilities

• Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.

• Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.

• Vulnerabilities affecting outdated or unpatched browsers.

• Vulnerabilities in third party applications that make use of Stellar’s API.

• Bugs that have not been responsibly investigated and reported.

• Bugs already known to us, or already reported by someone else (reward goes to first reporter).

• Issues that aren't reproducible.

• Issues that we can't reasonably be expected to do anything about.

Severity

The severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.

Scope

Our open source projects:

• Stellar-core

• Horizon

• Bridge and compliance server

SDKs:

• Go SDK

• Java SDK

• JS SDK

Our online services, apps and websites:

• https://www.stellar.org

• https://www.stellar.org/account-viewer/

• https://launch.stellar.org/

• https://api.stellar.org

• https://invite.stellar.org

Best practices

• Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.

• Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.

Report a bug

• Submit your bug at https://hackerone.com/stellar/reports/new

• Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.

• Please allow 3 business days for us to respond before sending another email.

Legal

You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.