Bug Bounty Program
The Dash Core Group Bug Bounty Program allows developers to discover and resolve bugs before the general public is aware of such bugs, preventing incidents of widespread abuse. If you find a security vulnerability on any of the in-scope products mentioned below, please let us know right away by reporting it.
- Mainnet
- Dash Core Desktop Wallet
- Dash Wallet Android
- Dash Wallet iOS
Responsible Disclosure Policy
As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Eligibility Requirements for Individuals
- You cannot have any contractual engagement with DCG
- You cannot have any contractual engagement with the DIF
- You cannot be an active Trust Protector
- You cannot receive a bounty from the incubator for the same bug
- You must provide basic KYC information (passport, local ID, etc.)
- Recipients must provide a USD bank account or a Dash address at a major exchange
- Residents / Citizens of OFAC restricted countries can report bugs but will not be eligible for a payout
Bounty Rewards
The goal of the DCG Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users. Vulnerability submissions must meet certain criteria to be eligible for bounty rewards. Bounty rewards are based on a combination of priority and severity.
- Level 1 (60 Points) = $5,000
- Level 2 (50 Points) = $2,000
- Level 3 (40 Points) = $750
- Level 4 (30 Points) = $200
- Level 5 (20 Points) = $50
(High)
(Medium)
(Low)
(High)
(Medium)
(Low)
ELIGIBLE
- Identify a vulnerability that was not previously reported to, or otherwise known by, DCG
- Such vulnerability must be reproducible in one of the in-scope products by DCG
- Include clear, concise, and reproducible steps, either in writing or in video format
- Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue
INELIGIBLE
- Vulnerabilities that require root/jailbreak access to exploit unless the root/jailbreak is initiated by the attacker after gaining physical access to the device
- Third-party libraries that are not owned by DCG
Severity High
30 Points
Could cause a loss of funds
Without a device access
Private key exposure, recovery phrase exposure, pin code attack/bypass
Severity Medium
20 Points
Prevents the use or receipt of funds
Without a device access
Cannot sync with the chain, persistent error when trying to send Dash, cannot receive a transaction that was successfully submitted to the network
Breach of privacy
With device access
Private key exposure, recovery phrase exposure, pin code attack/bypass, balance or transaction visibility without the required authentication
Severity Low
10 Points
Wallet balance and transactions
With device access
Incorrect balance, incomplete transaction history that is reproducible, cannot recover a valid wallet
Priority High
30 Points Very likely to occur, can occur on every device model and in any localization with the latest OS version, does not require the installation of additional software on the device
Priority Medium
20 Points Moderate likelihood to occur, can only occur on specific device models in any localization with any supported OS version or can occur on every device model in a specific localization with any supported OS version
Priority Low
10 Points Low likelihood of occurring, can occur one a specific device model or a specific localization with a specific OS version
Bounty Payments
-
Awards will be paid in Dash based on the current USD price at the date/time of the original submission
- Dash amounts are based on the volume-weighted average USD price published at messari.com
- Payouts will not cover any banking/transfer fees
- DCG will make any final decisions regarding severity and priority scoring