Mint and configure tokens and accounts.
Explore Hedera’s network services and developer tools to discover bugs and vulnerabilities. We ask that you follow the rules of engagement while testing.
If you find a bug or vulnerability, then report a bug with a description of your findings.
A member of the Hedera team will reach out for further information. Earnings are determined on a case-by-case basis. There is no cap on the amount of rewards you can earn.
You can do cross-account testing, but only access accounts that you own/control.
The mainnet is for production use and should not be used for testing.
Exposing a bug or vulnerability before Hedera is able to remediate could directly harm the Hedera network and the community, and will result in not receiving a reward for the bug's discovery.
This includes testing for vulnerabilities by impacting an account you do not own.
Social engineering, phishing, or physical attacks against Hedera employees, users, or the network infrastructure is not allowed.
If the provided report is not detailed enough to reproduce the issue, then the issue will not be eligible for a reward.
Unless you need to chain vulnerabilities to provide impact.
We only award the first report that was received (provided that it can be fully reproduced).
Only a single bounty will be rewarded for underlying issues causing multiple vulnerabilities.