Internet Computer
Bug Bounty Policy

This bug bounty program focuses on the Internet Computer Protocol (ICP), core Internet Computer components, and related products. To learn about rewards you could get, see the “Rewards” section. If you’re new to finding security bugs in ICP dapps, read the security best practices.

Submit Bug Report

Scope and Targets

For a bug to be considered for a bounty, it must be in the scope outlined in this section. If you found a bug that is not explicitly in scope, we encourage you to still submit it. It may still qualify for a bounty depending on DFINITY’s discretion and the attack’s impact.

🎯 Core Internet Computer Protocol Stack

The Internet Computer Protocol is a distributed protocol run by multiple nodes that constitute the Internet Computer blockchain network. It is structured into layers which are peer-to-peer, consensus, message routing, and execution. See our protocol documentation and specs. In order to get a good overview of the Internet Computer and to get started see our documentation.

The Internet Computer Protocol (ICP) GitHub Repository

Some important components are the following, but protocol implementation spans across additional crates:

🎯 Governance: Network Nervous System and Service Nervous System

Network Nervous System (NNS)

All aspects of ICP behavior are governed by the community of enthusiasts and users through a democratic governance system called the Network Nervous System (NNS). A high-level introduction can be obtained from this quick video.

Service Nervous System (SNS)

ICP offers a framework to launch decentralized autonomous organizations (DAOs), called the Service Nervous System (SNS):

Frontend applications

The NNS front-end dapp provides a user-friendly way to interact with the Internet Computer's governance system. It offers features such as logging in using Internet Identity, sending and receiving tokens, staking neurons, and viewing and voting on NNS and SNS proposals. See also the NNS dapp tutorial.

🎯 Financial Integrations

ICP provides ledger implementations for the ICP token according to the ICRC standards:

Rosetta API provides applications that third parties (e.g. exchanges) can run to obtain ICP price data:

🎯 Chain Fusion and Cross-Chain Applications

Chain-Key (ck) Tokens

These are ICRC compliant tokens that bring other assets, such as BTC or ETH to the ICP ecosystem. See also the Chain Fusion page.

🎯 Internet Identity: Self-Sovereign Single Sign-on Solution

Internet Identity is an anonymous blockchain authentication framework on ICP and supports passkey authentication. Check out the quickstart guide to Internet Identity and the following video.

🎯 Developer Experience and Tooling: SDK, CDK, Motoko

The documentation for tools and development kits to assist with development in ICP can be found here. Motoko is a custom built, native language for ICP that simplifies the development of smart contract canisters.

Source code & domain:

🎯 Internet Computer Infrastructure

Node Operating Systems

The node software runs on the virtual machine termed 'GuestOS' that in turn runs on 'HostOS'. In addition to these OSes, the boundary node systems have their own operating system 'Boundary-guestOS'. Finally, the 'SetupOS' is used to install and set up a node.

Edge Infrastructure: HTTP Gateway and API Boundary Nodes

The HTTP gateways and the API boundary nodes are major ICP infrastructure components. They sit on the perimeter and act as a gateway to the Internet Computer platform. Here is the list of components:

Other infrastructure

In addition to the boundary nodes there are additional infrastructure assets that support the operations of the Internet Computer. Here is the list of the domains:

  • dfinity.network
  • dfinity.systems

🎯 Wallets

Oisy

Oisy is a new browser-based, network-custodial and multi-chain wallet powered by Internet Computer's chain fusion technology.

Orbit

Orbit is a non-custodial platform for secure digital asset and smart contract management on the Internet Computer. It enables teams to define approval workflows, enforce governance policies, and manage assets with flexibility and transparency.

🎯 Exchange Rate Canister

The exchange rate canister provides an oracle service for cryptocurrency and fiat currency exchange rates. It interacts with all data sources using the HTTPS outcalls feature.

🎯 Internet Computer Dashboard

The internet computer dashboard is a web application that provides visibility into the Internet Computer. It provides metrics and information about governance, network (subnets, data centers, nodes), Chain Fusion, etc.

Out of scope

All public websites (not explicitly listed in scope below) and 3rd party code is out of scope for this bug bounty program. You can report issues but we don’t provide rewards.

Network-level DoS and DDoS is out of scope. Network-level misconfigurations or application or platform-level DoS issues (especially crashes) may qualify for a bounty depending on DFINITY’s discretion and the attack’s impact. We ask researchers not to perform DoS attacks on mainnet and production deployments. This will disqualify you from a bounty and from the bug bounty program entirely. Consider using local setups (e.g. using DFX) to demonstrate crashes, or reach out to us and we can support you to reproduce exploits.

Submit informational bug

Program Rules

  • Do not use off the shelf dynamic scanners such as DAST tools on production systems.
  • Make every effort not to damage or restrict the availability of products, services, and infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don't access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don't exploit any DoS/DDoS vulnerabilities or social engineering attacks
  • Don't break any law

Disclosure Guidelines

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.
  • Act responsibly and in good faith during the disclosure process.

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • Abide by the program rules and disclosure guidelines.
  • Ensure that the potential security bug you are reporting is in scope as specified in the Scope & Targets section below.
  • Any vulnerability found must be reported as soon as possible after discovery and ideally through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
  • You must not be a current employee of DFINITY or one of its contractors.
  • Only use the email address under which you registered your HackenProof account.
  • Do not engage in social engineering techniques or spear-phishing campaigns. Do not cause any harm to the data or the system.
  • Duplicate reports and closely related submissions will be dealt with on a case-by-case basis. If the submissions are determined to be genuine they may be rewarded based on a lower rewards scale.
  • In case that your finding is valid you might be asked for extra KYC verification to proceed with payments

Incident Handling

The Dfinity Foundation will respond to a submission within 72 hours. All valid security bugs will be handled in accordance with the Security Patch Policy and will trigger an internal incident response process. We will keep you updated and work with you throughout the process. Once the security bug has been handled, a communication will be made to the community describing the incident where we will provide an acknowledgment for your efforts and soon follow it up with the rewards.

Incident handling process illustration

Rewards

CRITICAL

$25,000 - $50,000

The attack is easy to perform without special privileges, at a low cost and has a severe global impact.

Example

Disclosure of subnet key shares, compromise of the integrity of the consensus process such as the insertion of an arbitrary block into the blockchain, remote code execution (RCE) in internal networks, memory underflow/overflow issues resulting in theft or illegal minting of exorbitant ( > $1M) amount of ICPs/Cycles.

HIGH

$10,000 - $25,000

The attack is relatively straightforward but may have additional constraints that may affect the ease or cost of the attack to a certain degree but still with a significant impact.

Example

A vulnerability that induces unauthorized access to neurons (access control bypass) but requires significant amount of work per neuron, memory corruption of canisters resulting in loss of integrity but constrained by a limiting factor such as being exploitable only on canisters with certain pre-existing properties.

MEDIUM

$2,000 - $10,000

The attack is difficult to perform, requires significant technical know-how and cost or the target may have to satisfy strict requirements in order to make a significant impact. Also, attacks that are simpler to perform but with moderate impact fall under this category.

Example

Memory corruption resulting in a one-time crash of a single replica on an application subnet, a client-side vulnerability that allows for the theft of individual session keys with access to limited funds, an issue affecting subnet availability but requires control of a node or boundary node.

LOW

$500 to $2,000

Attacks that are very difficult to perform or have a minor impact fall under this category.

Example

A bug resulting in an attacker controlling what is displayed to the user without affecting the server side data, UI redress, a bug that is not demonstrably exploitable but could be exploitable with more research.

INFORMATIONAL

Anything that doesn't fit the other ratings. You can report these issues but we don't provide rewards.

Rewards Payment Process

  1. First, obtain an ICP wallet address. You may use any valid ICP wallet address that best fits your needs and convenience. Below are some custody options you can choose from to obtain a KYC-verified ICP wallet address.
  2. Once your ICP wallet address is ready, send the address along with the email address you plan to associate your account with before starting the KYC process. The provided email address will be whitelisted on the KYC website within approximately 3 working days.
  3. You will receive an email notification once your email has been whitelisted. Submit your KYC application on the KYC DFINITY page by clicking on 'Other' and entering the email address you provided. You will receive a unique link to begin the verification process. The KYC process will be performed by a third party. The only information that the DFINITY Foundation receives is your email address and ICP wallet address.

Ensure that, at every stage of the onboarding process, your wallet address and associated email address are entered correctly to avoid any delay. As a reminder, DFINITY is not responsible for your asset custody nor will it be held accountable for any loss of your ICP distributed to the ICP wallet address you have provided.

If you have any questions regarding your KYC application or obtaining your ICP wallet address, please contact DFINITY Support .

Submit Bug Report

Submit bug report