Internet Computer
Bug Bounty Policy
This bug bounty program focuses on the Internet Computer Protocol and core Internet Computer components and canisters.
Eligibility
- Ensure that the potential security bug you are reporting is in scope as specified in the Scope & Targets section below
- Please treat the report as confidential until the respective teams have a chance to fix the issue. Public disclosure of the vulnerability without abiding by this policy makes it ineligible for rewards
- Do not engage in social engineering techniques or spear-phishing campaigns
- Bugs in third-party code are strictly excluded from the scope.
- Duplicate reports and closely related submissions will be dealt with on a case-by-case basis. If the submissions are determined to be genuine they may be rewarded based on a lower rewards scale
Scope and Targets
🎯 Core Internet Computer Protocol stack
The Internet Computer Protocol is a distributed protocol run by multiple nodes that constitutes the Internet Computer blockchain network platform. The protocol documentation and specs can be found here. In order to get a good overview of the Internet Computer and to get started with it please see here.
Source code: The Internet Computer Protocol (ICP)
🎯 Network Nervous System (NNS) canisters
All the aspects of Internet Computer behavior are governed by the community of enthusiasts and users of Internet Computer through a democratic governance system called the Network Nervous System (NNS). A high-level introduction to the operation of the system can be obtained from this quick video and this medium post.
🎯 Network Nervous System (NNS) Frontend Dapp
The NNS front-end Dapp is a dapp that provides a user-friendly way to interact with the Internet Computer’s governance system. With it, you can:
- Send/receive ICP
- Stake neurons
- Create canisters
- Top-up canisters with cycles
- View and vote on NNS proposals
Source code & domain:
🎯 Internet Identity: Internet Computer Authentication System
The Internet Identity is an anonymous blockchain authentication framework supported by the Internet Computer. It builds on Web Authentication (WebAuthn) API supported by modern web browsers and operating systems, and the "chain key cryptography" framework that powers the Internet Computer. Here is the quick start guide to Internet Computer and also check out the following video.
Source code & domain:
🎯 SDK, CDK, Motoko smart contract language & Dev Tools
The documentation for tools and development kits to assist with development in Internet Computer can be found here. Motoko is the native language of Internet Computer that simplifies the development of smart contract canisters.
Source code & domain:
- The Motoko base library
- Motoko
- DFX
- Rust Canister Development Kit
- DFINITY's JavaScript Agent Repository
- DFINITY's Rust Agent Repository
- Candid
- quill
- icx-proxy
🎯 Internet Computer Infrastructure
Boundary Nodes
One of the major component of the Internet Computer infrastructure are the boundary nodes. The boundary nodes sit on the perimeter and act as a gateway into the Internet Computer platform. Here is the list of boundary node domains:
Other Infrastructure
In addition to the boundary nodes there are additional infrastructure assets that support the operations of the Internet Computer. Here is the list of the domains:
- ic0.app
- raw.ic0.app
- icp0.io
- raw.icp0.io
- dfinity.network
- dfinity.systems
Out of scope
All public websites and 3rd party Dapps are out of scope for this bug bounty program. You can report issues but we don’t provide rewards.
Network-level DoS and DDoS is out of scope. Network-level misconfigurations or application or platform-level DoS issues (especially crashes) may qualify for a bounty depending on DFINITY’s discretion and the attack’s impact. We ask researchers not to perform DoS attacks on mainnet and production deployments. This will disqualify you from the bug bounty program and obtaining bounties. Consider using local setups (e.g. using DFX) to demonstrate crashes, or reach out to us and we can support you to reproduce exploits.
Submit informational bugIncident Handling
Once a submission has been made, Dfinity Foundation will respond within the first 72 hours. All valid security bugs will be handled in accordance with the Security Patch Policy and will trigger an internal incident response process. We will keep you updated and work with you through the process. Once the security bug has been resolved a communication will be made to the community describing the Incident where we will provide an acknowledgment for your efforts and soon follow it up with the rewards.
Rewards
CRITICAL
The attack is easy to perform at a low cost and has a severe global impact.
Example
Disclosure of subnet key shares, Compromise of the integrity of the consensus process, for example, insertion of an arbitrary block into the blockchain, RCE in internal networks, memory underflow/overflow issues resulting in theft or illegal minting of exorbitant ( > $1M) amount of ICPs/Cycles
HIGH
The attack is relatively straightforward but may have additional constraints that may affect the ease or cost of the attack to a certain degree but still with a significant impact.
Example
A vulnerability that induces unauthorized access to neurons (access control bypass) but requires significant amount of work per neuron, memory corruption of canisters resulting in loss of integrity but constrained by a limiting factor such as being expoitable only on canisters with certain pre-existing properties
MEDIUM
The attack is difficult to perform, requires significant technical know-how and cost or the target may have to satisfy strict requirements in order to make a significant impact. Also, the attack that is simpler to perform but with moderate impact falls under this category.
Example
Memory corruption resulting in the crashing of replica process, Client-side vulnerability that allows stealing of credentials or keys from the client (ex, browser) by manipulating the user
LOW
The attack that is very difficult to perform or has a minor impact falls under this category.
Example
A bug resulting in an attacker controlling what is displayed to the user without the affecting the server side data, UI redress, a bug that is not demonstrably exploitable but could be exploitable with more research
Informational bugs
You can report issues but we don’t provide rewards.
Rewards Payment Process
- Obtain an ICP wallet address
- Whitelist your email
- Submit your KYC application
- First, obtain an ICP wallet address. You may use any valid ICP wallet address that best fits your needs and convenience. Below are some custody option examples that you can choose from to obtain a KYCed ICP wallet address.
- Self-Custody (via Keysmith instructions or NNS dapp):
- NNS dapp — Learn how to get started or view a more technical walkthrough.
- Keysmith — Follow step-by-step instructions to set up self-custody via Keysmith.
- 3rd Party Custody Solutions
- Self-Custody (via Keysmith instructions or NNS dapp):
- Once your ICP wallet address is ready, send the address along with the email address you plan to associate your account with before starting the KYC process. The provided email address will be whitelisted on the KYC website (~3 working days).
- You will receive an email notification once your email has been whitelisted. Submit your KYC application on the KYC DFINITY page by clicking on ‘Other’ and entering the email address you provided to receive a unique link to begin the verification process. The KYC will be performed by a 3rd party and all information that the DFINITY Foundation receives is the email address and the ICP wallet address.
Make sure at every stage of the onboarding process that your wallet address and associated email address are entered correctly to avoid any delay. As a reminder, DFINITY is not responsible for your asset custody nor will it be held accountable for any loss of your ICP distributed to you in the ICP wallet address you have provided.
If you have any questions regarding your KYC application or obtaining your ICP wallet address, please contact DFINITY Support.
Submit Bug Report
In addition to filling out a form, bugs can also be submitted by sending mails to
[email protected]