What is a Bug Bounty?
A bug bounty is a reward program where protocols pay security researchers for discovering and responsibly reporting vulnerabilities. Bounties incentivize ongoing security research and create a structured process for handling discovered issues.
Why Bug Bounties Matter
Continuous Security: Unlike audits, bounties provide ongoing coverage Economic Incentives: Rewards good actors for finding bugs Responsible Disclosure: Creates safe channels for reporting Community Engagement: Taps global security researcher communityBug Bounty Platforms
Immunefi: Leading DeFi bug bounty platform with $150M+ in bounties HackerOne: General security platform with some Web3 programs Bugcrowd: Traditional security platform expanding to crypto Self-Hosted: Some protocols run their own programsBounty Reward Structure
Rewards scale with severity:
- Critical: $100,000 - $10,000,000+
- High: $25,000 - $100,000
- Medium: $5,000 - $25,000
- Low: $1,000 - $5,000
Major Bug Bounty Programs
| Protocol | Max Bounty |
|---|---|
| . . . . . | . . . . . - |
| Wormhole | $10,000,000 |
| Optimism | $2,000,000 |
| Polygon | $2,000,000 |
| MakerDAO | $10,000,000 |
Responsible Disclosure Process
- Researcher finds vulnerability
- Reports privately through official channel
- Protocol confirms and assesses severity
- Fix developed and tested
- Patch deployed
- Bounty paid
- Public disclosure (often after delay)
What's In Scope
Typical scope includes:
- Smart contracts
- Core protocol logic
- Economic exploits
- Price manipulation vectors
Out of scope:
- Frontend issues
- Centralized infrastructure
- Known issues
- Theoretical concerns
Bug Bounty Best Practices
For researchers:
- Follow responsible disclosure
- Document findings thoroughly
- Don't exploit on mainnet
- Communicate professionally
For protocols:
- Respond promptly to reports
- Pay fairly based on impact
- Don't penalize researchers
- Publish clear rules