Flow Bug Bounty Program

Earn $100k USD by finding Flow bugs

If you believe you may have found a security vulnerability in one of our products or platforms, send us an email: security@onflow.org

Read our Responsible Disclosure Guidelines

Rewards

We run closed bug bounty programs, but beyond that, we also pay out rewards once per eligible bug to the first responsibly disclosing third party. Rewards are based on the seriousness of the bug, but the minimum is $2,500 USD and we are willing to pay $100,000 or more (To a maximum of $1M of rewards per person or organization within any 12 consecutive months) at our sole discretion.

Bug Type Reward Criteria Example
Critical-Impact Vulnerability min. $100k
  • Emergency remediation
  • Public announcement
  • Typically a remote, unauthenticated compromise of application

  • Hard-forking of a smart contract
  • Loss of funds
  • Consensus violations
High-Impact Vulnerability min. $50k
  • Immediate analysis and action is necessary

  • Public disclosure in most cases
  • Exploitation would significantly affect the business

  • Eventual fix of smart contract
Medium-Impact Vulnerability $25k
  • Remediation required, but impact is not significant

Low-Impact Vulnerability $2.5k
  • Low risk issues like misconfigurations with no proven path to exploit

Eligibility

To qualify, the bug must fall within our scope and rules, be previously unknown to us, have a material impact and be demonstrably exploitable, and require action by us.