The Mintlayer bug bounty program

Mintlayer is happy to accept any kind of bugs although currently only valid security issues will be eligible for a bounty. Only the first report of any issue will be considered valid. All valid bugs will allow the reporter to be listed in our bug finders list in the project repo.

Email security@mintlayer.org for security issues. Non-security bugs can be sent to bugs@mintlayer.org or opened as issues on GitHub.

We will endeavour to respond within 3 working days to verify we can replicate the issue or to ask for further information. The time until a fix is released will depend on the complexity and severity of the issue disclosed. The reporter may not publicly announce the issue until a patch has been released and without prior authority, any issue announced publicly will be considered invalid for a bounty.

Mintlayer bounties will initially be paid in MLT (ERC-20 or mainnet tokens depending on the status of the mainnet release). Bounties awarded will be up to 25,000 USD (paid in MLT Token) and the value will depend on the severity of the issue and the difficulty of exploitation using the CVSS score and the opinion of the core development team.

Security issue ticklist:

  • The issue is valid in the latest code release or in the master branch on GitHub
  • This issue has not been previously reported by another bug bounty hunter or discovered internally
  • The bug has been reported responsibly
  • A bug is only valid if it is found on a network you have created yourself (you should create your own network by modifying the source code in our GitHub repo). A bug found attacking any Mintlayer testnet or mainnet will be considered invalid.

In scope (Mintlayer core node, the Mintlayer launch platform and the Mintlayer wallet):

  • Transaction replay attacks - double spend attacks
  • Secure information leakage (secret keys or mnemonic phrases)
  • Transaction tampering
    • Changing amount of a transaction
    • Changing the token in the destination
    • Changing the destination of a transaction
  • Remote code execution
  • Contract or script tampering
  • launch.mintlayer.org
  • Other issues will be judged on a case by case basis - email us if you have something you think should apply

Out of scope:

  • DOS/DDOS attacks
  • Usage of any Mintlayer mainnet or testnet
  • MITM attacks or attacks requiring physical access
  • Non-best practice SSL/TLS usage
  • *.mintlayer.org (that is not mentioned above)
  • Bugs in libraries used by Mintlayer that are not related to misuse in the Mintlayer code base
  • Bugs in libraries used by Mintlayer already publicly announced elsewhere
  • Any issue listed on GitHub or known internally (there is a slight lag between an issue being known internally and being listed publicly)
  • Issues only affecting non-stable Mintlayer builds such as development builds
  • RCE without a proof of concept
  • Reports that use another’s account without consent
  • Publicly announced issues
  • Issues that directly impacted other users in the discovery or proving stages
  • Social engineering and phishing attacks
  • Reports without reproducible steps
  • Reports that cannot be reproduced