Bug Bounty Program
Last updated
Last updated
R5's bug bounty program is managed by R5 Labs. It aims to continuously incentivise security and feature improvements to the protocols and tools developed by the R5 Labs in conjunction with the broader R5 community.
There were R5 200,000 committed to the bug bounty program out of the pre-allocated funds. Once these funds are depleted, community funding via donations will be needed to keep the Bug Bounty Program active. If you would like to donate, please use the wallet address below:
0x66a88f34AE8800561084EBb351dafAAA248a15b8
R5 is a community-driven project, and bugs are a normal part of the product development cycle. Collaborators are always working to get them patched and fixed, and most of the work is done by volunteers. We therefore do not deem small UI or function fixes that were already in the development scheduled, to be worthy of bug bounty prizes.
That is not to say that bugs that can cause function breakdowns and compromise the stability of the nodes won't be looked at, but the main goal with our bug bounty program is to identify vulnerabilities that may expose sensitive data (such as private keys) in our protocols, or most critically, affect the blockchain state management.
Some of our websites use WordPress, and bugs related to the WordPress protocol won't be considered to be part of the scope of this bug bounty program.
If you have found minor vulnerabilities or bugs, you can also contribute directly to the open source codebase to patch it. Being a community-ran project, we depend on community support to operate, and your direct contribution will also yield you points and influence with such community.
Vulnerabilities found in these specific codebases will yield a 10% bonus payment to the person that finds and submits them via the .
Blockchain client (r5-core/client )
CLI Wallet (r5-core/cliewallet)
GUI Wallet (r5-wallet )
This schedule is to give bug bounty hunters an indication of how much they can expect as a payout. The R5 Labs team will ultimately evaluate and assess each submission individually, but using the schedule below as a baseline. Unless specified otherwise, bugs and vulnerabilities that are submitted with a fix/patch will yield an additional 20% payout.
Blockchain client-related code, excluding tooling and the SDK
Low
Small bugs that affect functionality of the protocol but does not put the integrity of the chain state at risk. These need to be submitted with a fix to be accepted.
From R5 10 - 50
Blockchain client-related code, excluding tooling and the SDK
Medium
Bugs that can cause a function or feature to breakdown, causing credentials to be exposed or other types of vulnerabilities, but does not pose a risk to the chain state integrity.
From R5 100 - 500
Blockchain client-related code, excluding tooling and the SDK
High
Vulnerabilities that may pose a severe threat to the functioning of the client protocol, but do not put the integrity of the chain state at risk
From R5 250 - 1,000
Blockchain client-related code, excluding tooling and the SDK
Critical
Vulnerabilities that threat the integrity of the chain state - with reorgs, double spending, for example.
From R5 1,000
R5 tooling and SDK codebase
Low Medium High
Bugs that may cause function breakdowns or vulnerabilities to developers while using the tools.
From R5 10 - 250 if a bug is submitted without a patch/solution From R5 20 - 350 if a bug is submitted with a patch/solution
R5 tooling and SDK codebase
Critical
Vulnerabilities that expose sensitive information or may have potential to directly impact chain state management with reorgs, double-spending, etc.
From R5 750 if submitted without a patch/solution From R5 1,250 if submitted with a patch/solution
Other code
Low Medium
Bugs and vulnerabilities that have potential to cause instability bug do not leak sensitive information or has the potential to affect the chain state management.
From R5 10 - 250 if submitted without a patch/solution From R5 20 - 350 if submitted with a patch/solution
Other code
High
Bugs and vulnerabilities that have the potential to leak sensitive data but doesn't present risk to the chain state management.
From R5 20 - 350 if submitted without a patch/solution From R5 50 - 500 if submitted with a patch/solution.
Other code
Critical
Bugs and vulnerabilities with potential to compromise the chain state management.
From R5 1,000
* The payout figures are just indications, and the R5 Labs team will make their own judgement on how critical the vulnerability is based on its threat-level to the users, developers, and most importantly, to the chain state management. However, in all assessments this schedule will be used as a guideline.
Use the form below to make your submission. Please read the Terms & Conditions before proceeding.