Welcome to the Libra Blockchain Bug Bounty!
Libra’s mission is to enable a simple global currency and financial
infrastructure that empowers billions of people. Libra is built on a secure,
scalable, and reliable blockchain. The blockchain has been built from the
ground up to prioritize scalability, security, efficiency in storage and
throughput, and future adaptability.
We have launched the Libra testnet, a live demonstration of an early prototype
of the Libra Blockchain software, also known as Libra Core. The Libra testnet
is comprised of test validator nodes running Libra Core, the software which
maintains the Libra cryptocurrency. In contrast to the forthcoming Libra
mainnet, the testnet uses a digital currency with no real-world value.
In the meantime, this project is at an early prototype stage. Please let us
know what you think. We are especially interested in your review of the
security and privacy architecture and design as well as -- of course -- your
To learn more about the Libra project goals, please refer to the Libra White
If you believe you have found a security vulnerability in any software or on
any application related to Libra, we encourage you to let us know right away.
We will investigate all legitimate reports. Before testing and reporting,
please carefully read the terms below.
Bounty Program Terms
Libra practices public disclosure. Only resolved reports are eligible for
disclosure, and the Libra Association must approve all disclosure requests. If
a researcher publicly discloses any vulnerability information without approval
from the Libra Association, the researcher will be considered in breach of
this policy and not protected by Safe Harbor.
When submitting a bug report you agree to abide by the following terms and
conditions (“Terms”). Failure to abide by these Terms could result in you not
receiving a reward in addition to any other rights or remedies the Libra
Association may have. Libra Association employees, Libra Association member
employees, and Libra Association vendor employees are all strictly prohibited
from participating in this bounty program. In addition to these Terms, your
use of Libra Association services, including for purposes of this program
participating in the bounty program, is subject to the Libra Association Code
of Conduct __.
1. Recognition and Rewards
- The Libra Association recognizes and rewards security researchers who help us keep people and assets safe by reporting vulnerabilities to our program. Monetary bounties for such reports are entirely at the Libra Association’s sole discretion, based on severity, impact and other factors.
2. To potentially qualify for a bounty, you must first meet these
- Adhere to these Terms and HackerOne disclosure guidelines __.
- You are not prohibited under applicable law from receiving any product, software or service offered by HackerOne or the Libra Association.
- Report a security bug: that is, identify a vulnerability in Libra which can create a security risk. (Note that the Libra Association ultimately determines the severity of an issue in its sole discretion, and that many software bugs are not security issues.)
- Describe in your report a problem involving one of the security issues listed as “In-Scope” (see section below). Note that certain types of potential security issues are excluded from this bounty program; these are listed under “Out of Scope” (see section below).
- Submit your report via the Libra Security Page __. Submit one issue per report and respond to the report with any updates. Please do not contact Libra Association employees directly or through other channels about a report.
- Disclose in your report if you inadvertently cause a privacy violation or disruption (such as accessing private data, service configurations, or other confidential information) while investigating an issue.
3. Requirements on Those Submitting Reports
- You represent that your bug report is your original idea and work product and has not been copied or misappropriated from any third party.
- You will submit bug report only from email or other accounts that you own or with explicit permission of the account holder.
- You will not exploit a security, privacy or other issue you discover for any reason. (This includes demonstrating additional impact, such as attempted compromise of sensitive data or probing for additional issues.)
- You will not violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data or computer systems.
- You will not violate the intellectual property or other rights of any third party.
- You will not attempt to introduce any virus or malicious code into any computer system or data.
4. Evaluation Criteria
The following sets forth the Libra Association’s evaluation criteria. Each of
these criteria is applied at the Libra Association’s sole and final
discretion. This includes decisions as to whether bug is in-scope of out-of-
scope. Decisions of the Libra Association are not appealable. By submitting a
bug report you acknowledge and agree to this discretion.
- Although we will try and investigate and respond to all valid reports, we do not guarantee that we will do. Similarly, we will seek to prioritize evaluations based on risk and other factors, but do not guarantee that we will do so.
- We determine bounty amounts based on a variety of factors, including (but not limited to), impact, ease of exploitation, and quality of the report.
- In the event of duplicate reports, we award a bounty to the first person to submit an issue based on our sole determination. The Libra Association determines duplicates and may not share details of the other reports.
- A given bounty is only paid to one individual. Therefore if you submit a report from multiple individuals you must designate who will receive the bounty, if any. Failure to designate an individual means the Libra Association will make that determination in its sole discretion. For reports submitted by multiple individuals, it is up to those individuals to determine how the bounty, which the Libra Association will pay to only one individual, will be allocated.
- We reserve the right to publish reports (and accompanying updates) with hacker approval.
- In some cases, bounty awards might not be permitted to be paid under the applicable laws of your jurisdiction. In those cases, your bounty award will be forfeited.
5. Security Concerns That Are In Scope
Security is critical to Libra’s global mission. In particular we want to guard
- Transactions tampering
- Block tampering
- Validator compromise
- Denial of Service due to a single or unique set of limited requests (attacks relying on numerous/spam requests are out of scope)
- Non-experimental code calling experimental code
- Double spending
We welcome your assessments and identification of risks and flaws in the
general security of the Libra Blockchain, including:
- Design or architecture
- User or developer experience
- Admission Control
- Move language and Move VM
- Information serialization and de-serialization
- Buffer management
- Smart contracts
- Cryptographic primitive
- Sample wallet
6. Security Concerns That Are Out of Scope
- Spam or social engineering techniques
- Denial-of-Service (due to numerous/spam requests or distributed attacks)
- Security issues in third-party software or websites that integrate with the Libra Blockchain, except in the specific circumstances described in the Libra Bug Bounty program scope.
- Folders marked as "experimental" in their respective README.md.
- Reliability of the infrastructure hosting testnet
7. Non-Libra Issues Discovered
If you are looking to report another type of issue, please use the links below
8. Amount of Bounty
- The Libra Association will determine the amount of the bounty you are to receive, if any, in its sole and absolute discretion. These decisions are made on a case-by-case basis and are not appealable. The maximum amount of a bounty is $10,000.
- We may cancel or modify this program or these Terms at any time. The Terms that apply to you are those posted here as of the date of your submission. Please check the latest Terms before you submit your report.
- The Libra Association shall not be liable in any way for any claims arising from your use of the bounty program or your submitted reports. You hereby indemnity and hold harmless the Libra Association and its officers, directors, and employees from any claims arising from your breach of these Terms.
- We (and any Libra Association member companies that is the subject of your report) may retain any communications about security issues you report for as long as we deem necessary.
- All taxes on a bounty, if any, are the responsibility of the bounty recipient.
- These Terms shall be governed by the laws of Switzerland.
- Summary of vulnerability and impact
- Steps to reproduce
- Working proof of concept
Response Target | Time (in business days)
First response (from report submit) | 2 days
Triage (from report submit) | 2 days
Bounty (from report triage) | 14 days
Resolution | Depends on severity and complexity
Libra Association User Terms
Note that your use of Libra Association services, including for purposes of
this program, is subject to the Libra Association Code of Conduct
__. We (and any
Libra Association member company that is the subject of your report) may
retain any communications about security issues you report for as long as we
deem necessary for program purposes, and we may cancel or modify this program
at any time.
Reporting Non-Libra Vulnerabilities
If you are looking to report another type of issue, please use the links below