report vulnerabilities. earn rewards.
Bug Bounty Program
Help maintain trust and prevent exploits on the Hedera network by taking part in an incentive program to identify and responsibly disclose security vulnerabilities. The Hedera Bug Bounty Program embodies the decentralized ethos of web3 by engaging the broader community in proactive and transparent testing and reporting.
help safeguard the network
A stronger ecosystem
Contribute to the strength of the Hedera network by finding and submitting bugs and vulnerabilities in the platform, services, and developer tools. Shared efforts improve the robustness and security of the entire ecosystem.
Find bugs
Explore Hedera network services and developer tools to identify vulnerabilities. Follow the rules of engagement while testing.
Submit a report
Document your findings and submit a bug report with a clear description of the issue.
Earn rewards
The Hedera team will review your submission and may request further information. Rewards are determined on a case-by-case basis, with no cap on potential earnings.
bug bounty guidelines
Rules of engagement
Don't use another user's account
Cross-account testing is allowed, but only with accounts that you own or control.
Use testnet for all testing
Don't publicly disclose a bug before it's fixed
Don't impact others during testing
Never attempt non-technical attacks
Social engineering, phishing, or physical attacks against Hedera employees, users, or the network infrastructure are strictly prohibited.
Provide detailed, reproducible reports
One vulnerability per report
No rewards for duplicate reports
One reward per root cause
Hiero Improvement Proposals
Have a suggestion or feature request? The Hiero Improvement Proposal (HIP) program is the place to do it. HIPs can encompass changes to the core protocol as well as applications, frameworks, and protocols built on Hiero.
Find a vulnerability?
Send a report with a description of your security vulnerability findings to earn rewards.