The Mintlayer bug bounty program

Mintlayer is happy to accept any kind of bugs, although currently, only valid security issues will be eligible for a bounty. Only the first report of any issue will be considered valid and the bug must not exist in any of our internal bug tracking systems or fixed in another branch of the code yet to be merged. All valid security issues will allow the reporter to be listed in our "bug finders list" in the project repo.

Email security@mintlayer.org or enrico@rbblab.com for security issues. For secure submissions Enrico's PGP key can be found here. Non-security bugs can be sent to bugs@mintlayer.org or opened as issues on the repository.

We will endeavour to respond within 3 working days to verify we can replicate the issue or to ask for further information. The time until a fix is released will depend on the complexity and severity of the issue disclosed. The reporter may not publicly announce the issue until a patch has been released and without prior authorisation, any issue publicly announced without agreement will be considered ineligible for a reward.

Mintlayer bounties will be paid in ML mainnet coins and the bounties awarded will be up to 25,000 USD (paid in ML coins) and the value will depend on the severity of the issue and the difficulty of exploitation using the CVSS score and the opinion of the core development team.

Security issue ticklist:

  • The issue is valid in the latest code release, which has not since been fixed, or in the master branch on the repository.
  • This issue has not been previously reported by another bug bounty hunter or discovered internally
  • The bug has been reported responsibly
  • A bug is only valid if it is found on a network you have created yourself (you should create your own network by modifying the source code in our Code repository). A bug found attacking any Mintlayer run testnet or mainnet will be considered invalid.

In scope (Mintlayer core node, the Mojito browser extension, Mojito Mobile App and the Mintlayer core repo wallets):

  • Double spend attacks
  • Secure information leakage (secret keys or mnemonic phrases)
  • Transaction tampering
    • Changing amount of a transaction
    • Changing the token in the destination
    • Changing the destination of a transaction
  • Remote code execution
  • Contract or script tampering
  • Other issues will be judged on a case by case basis - email us if you have something you think should apply

Out of scope:

  • DOS/DDOS attacks
  • Usage of any Mintlayer mainnet or testnet
  • MITM attacks or attacks requiring physical access
  • Non-best practice SSL/TLS usage
  • *.mintlayer.org (that is not mentioned above)
  • Bugs in libraries used by Mintlayer that are not related to misuse in the Mintlayer code base
  • Bugs in libraries used by Mintlayer already publicly announced elsewhere
  • Any issue listed on Mintlayer's repository or known internally (there is a slight lag between an issue being known internally and being listed publicly)
  • Issues only affecting non-stable Mintlayer builds such as development builds
  • RCE without a proof of concept
  • Reports that use another’s account without consent
  • Publicly announced issues
  • Issues that directly impacted other users in the discovery or proving stages
  • Social engineering and phishing attacks
  • Reports without reproducible steps
  • Reports that cannot be reproduced