Skip to main content

Bug Bounties

The following are the bug bounty programs run by different projects in the Polkadot ecosystem.

Polkadot & Kusama

Core components from Polkadot, Kusama and Polkadot SDK are covered by the Parity Bug Bounty program. Current scope includes:

  • Polkadot SDK: implementation-related issues only. Any bugs which can be used to bring down or take control of Substrate based chains without direct access to the machine, including bugs in pallets and primitives.
  • Runtimes: Any bugs that compromise the intended behaviour of the various blockchain runtimes (Kusama, Polkadot, etc).
  • Parity Releases Pipeline: any bugs which could be used to enable an attacker to inject malicious code into our distributed binaries, or be used to halt Parity's release process or add malicious/unintended functions to the released binaries.
  • Production infrastructure: publicly available infrastructure Parity runs for production-grade networks (in contrast to testnets), especially parts which are critical for a network's well-being or safety of funds. Please note that this does not include our publicly available web pages.
  • Polkadot-JS: only apps, extension, and common repositories. Please note that where the scope of this policy includes third-party code this should not be taken as an indication that we are legally or otherwise responsible for that code, its security, quality or your rights in respect of that code.

Find more details on the Parity Bug Bounty program.

Polkadot Kusama Bridge

The bridge between Polkadot and Kusama is covered by the Bridges Bug Bounty program. Current scope includes:

  • Parity Bridges Common
  • Polkadot SDK Bridges
  • Bridge Hub Parachain Runtimes (Polkadot SDK)
  • Bridge Hub Parachain Runtimes (Fellowship)

Find more details on the Bridges Bug Bounty program.