Algorand was founded by cryptography pioneer and Turing award winner, Silvio Micali, to solve the “blockchain trilemma” with a platform that delivers decentralization, scalability and security. Algorand provides a foundation for existing businesses and new projects to operate globally in the emerging decentralized economy. Algorand’s first-of-its-kind, permissionless, pure proof-of-stake protocol supports the scale, open participation, and transaction finality required to build systems for billions of users.
Algorand invites you to test and help secure our innovative decentralized protocol. We appreciate your efforts and hard work in making the internet (and Algorand) more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
For the initial prioritization/rating of findings, a summary of the submission types accepted and their severity rating has been provided under this brief. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
this program. No other submission types will be reviewed nor rewarded. Non- applicable submission types will be marked as such.
the newest released package is in scope.
Last updated 7 Apr 2019 23:02:50 UTC
Technical severity | Reward range
p1 Critical | $2,100 - $2,500
p2 Severe | $1,200 - $1,500
p3 Moderate | $500 - $750
p4 Low | $125 - $200
P5 submissions do not receive any rewards for this program.
Target name | Type
Algorand Node - https://github.com/algorand/go-algorand | Other
Algorand Java SDK - https://github.com/algorand/java-algorand-sdk | Other
Algorand Golang SDK - https://github.com/algorand/go-algorand-sdk | Other
Algorand Ledger App - https://github.com/algorand/ledger-app-algorand |
Algorand TestNet | Other
Target name | Type
<https://algorand.foundation/> | Website
Hosting Infrastructure of TestNet (AWS, Kubernetes, Other Participants, etc)
Distributed denial of service | Other
Algorand.com | Website
Algorand.org | Website
Algorand MainNet | Other
Testing is only authorized on the target listed as In-Scope. Any domain/property of Algorand not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
You will test Algorand's protocol nodes, SDKs and their integration with TestNet, our primary testing location for the Algorand blockchain, by running your own instances using the hosted repositories found in the target section. Comprehensive documentation for each target can be found below and within each repository.
Algorand considers Social Engineering attacks against Algorand employees a violation of Program Policies. Researchers engaging in Social Engineering attacks against Algorand employees will be banned from the Algorand Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via email@example.com before going any further.
We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.
The current Bug Bounty Program as described on this page is v1.0 of our Bug Bounty Program. We anticipate the need to improve it over time and appreciate any feedback you may have on what we can do better.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.