EOSIO Bug Bounty Program
No technology is perfect, and Block.one believes that working with skilled
security researchers across the globe is crucial in identifying weaknesses in
any technology. If you believe you've found a security issue in our product or
service, we encourage you to notify us. We welcome working with you to resolve
the issue promptly.
A Bug Bounty program is an open offer to external individuals to receive
compensation for reporting EOSIO bugs, specifically related to security of the
Software Assets in Scope
In principle, the core EOSIO software is in scope for the bug bounty program.
This includes any of the latest versions of:
- EOSIO blockchain software (https://github.com/EOSIO/eos __)
- Eos.js libraries (https://github.com/EOSIO/eosjs __)
- EOSIO Contract Development Toolkit software (https://github.com/EOSIO/eosio.cdt __) (specifically eosiolib, libc, and lib++/libcxx, other tools in this repo are out of scope)
- EOSIO Default Contracts (https://github.com/EOSIO/eosio.contracts __)
- DoS style vulnerabilities will be considered in scope provided that the attack is effective due to specific code in the EOSIO repository (the above in scope repos), and no public mainnets are used for PoC. You may not use public mainnets to prove out DoS attacks, nor any Block.one production infrastructure. All PoC's must be done against a testnet with the permission of those running said testnet.
Public blockchains launched using EOSIO software will be outside of scope for
Only the following design or implementation issues that substantially affect
the stability or security of the project is in scope for the program. Common
- Cause nodeos to crash via the net_plugin (bnet_plugin is out of scope)
- Cause nodeos to crash via the HTTP RPC API (http_plugin) with Patroneos protection
- Send a contract into an infinite loop
- Cause a contract to use large amount of memory (more than 64MB)
- Crash nodeos with a contract
- Trigger unauthorized actions on accounts
- Cause a contract to run for more than 10 ms over deadline
For scenarios that do not fall within one of the above categories, Block.one
still appreciates reports that help us secure our infrastructure and our
customers. As such, we will reward those reports based on the following table.
Please note these are general guidelines, and that reward decisions are up to
the discretion of Block.one.
Min/Max | Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS
4.0 - 6.9) | Low (CVSS 0.0 - 3.9)
Minimum | $5,000 | $2,500 | $1,000 | $100
Maximum | $10,000 | $5,000 | $2,500 | $1,000
Note that the scope of the program is limited to technical vulnerabilities
in Block.one software only; please do not try to sneak into Block.one offices,
attempt phishing attacks against our employees, and so on.
Note that bug reports are only valid against x86-64 architecture and against
32-bit WASM builds. 64-bit WASM is outside of the scope of this program.
- Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, or do other similarly questionable things.
- We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.
- To qualify for bounty, the security bug must be original and previously unreported.
Depending on their impact, some of the reported issues may not qualify.
Although we review them on a case by case basis, here are some of the common
low risk issues that typically do not earn a monetary reward:
- WAST files Bugs found against Wasm JIT/ Binaryen that revolve around the WAST format are excluded from the HackerOne program. These types of bugs will never affect EOS, as the only format on the chain is WASM.
- Non x86-64 architecture Any reports found by building the EOSIO software against non-x86-64 architectures are not valid.
- 64-bit WASM EOSIO only supports 32-bit WASM builds. Any reports against 64-bit WASM builds are not valid.
- Build tools in the WASM SDK Tools in the WASM SDK repo are out of bounds. These include, but are not limited to eosio-readelf, eosio-objdump, eosio-ar, eosio-ranlib, etc.
- URL redirection or Phishing We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well designed and closely monitored redirectors outweigh their true risks.
- Flaws affecting the users of out of date systems. The security model of the web and blockchain is being constantly fine tuned. The panel will typically not reward any problems that affect only the users of outdated or unpatched systems.
- Presence of banner or version information. Version information does not, by itself, expose the service to attacks so we do not consider this to be a bug.
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
That said, if you find outdated software and have good reasons to suspect that
it poses a well defined security risk, please let us know.
- The base amount of a reward is currently $10,000 USD.
- The final amount is always chosen at the discretion of the reward panel.
- In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide to pay lower rewards for vulnerabilities that require unusual user interaction; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward.
- For multiple vulnerabilities with one underlying root cause, where one fix can be applied to remediate, we will consider this as one vulnerability and only award once.
Investigating and reporting bugs
Please, never attempt to access anyone else's data and do not engage in any
activity that would be disruptive or damaging to your fellow users or to
If you have found a vulnerability, please submit a report through the
HackerOne Platform. Note that we are only able to answer to technical
Please include following in your report:
- Asset - What software asset the vulnerability is related to (e.g. EOSIO core software/eosjs)
- Severity - Your opinion on the severity of the issue (e.g. high, moderate, low)
- Summary - Add summary of the vulnerability
- Description - Any additional details about this vulnerability
- Steps - Steps to reproduce
- Supporting Material/References - Source code to replicate, list any additional material (e.g. screenshots, logs, etc.)
- Impact - What security impact could an attacker achieve?
- Your name and country.
Please be available to cooperate with Block.one engineering team to provide
further information on the bug if needed.
Additionally, please note that unidentified report submitters will not be
eligible for the bounty payment. Please expect to be asked for additional
identification details for us to be able to progress with the payment. Please
submit your report as soon as you have discovered a potential security issue.
Block.one will consider the maximum impact and will choose the reward
accordingly. We may pay higher rewards for otherwise well written and useful
submissions where the reporter didn't notice or couldn't fully analyze the
impact of a particular flaw.
Please note you will qualify for a reward only if you were the first person to
alert us to a previously unknown flaw. We will update you on the progress of
your report when it is accepted, validated, fixed and when the bounty is
Some restrictions to eligibility have been implemented. These restrictions
relate to a minimum signal of 3. Hackers below this signal range will not be
able to submit reports to our program.
This is not a competition, but rather an experimental and discretionary
rewards program. You should understand that we can cancel the program at any
time and the decision as to whether or not to pay a reward has to be entirely
at our discretion. Of course, your testing must not violate any law, or
disrupt or compromise any data that is not your own.
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.