Get started
63982089 586Cfc80 Ca76 11E9 9F44 Ca06D28230C0

Hedera bug bounty program

Find bugs. Submit a report. Earn rewards.

Report a bug Bug bounty policy

A stronger ecosystem

We welcome Hedera community members to contribute to the Hedera network platform and services codebase, developer tools, and more by finding and submitting bugs and vulnerabilities. The entire ecosystem will benefit from the shared efforts in improving the robustness of Hedera’s software and security.
Find Bug
Find bugs

Explore Hedera’s network services and developer tools to discover bugs and vulnerabilities. We ask that you follow the rules of engagement while testing.

Submit A Report
Submit a report

If you find a bug or vulnerability, then report a bug with a description of your findings.

Earn Hbars
Earn rewards

A member of the Hedera team will reach out for further information. Earnings are determined on a case-by-case basis. There is no cap on the amount of rewards you can earn.

Rules of engagement

When in doubt, read the Bug Bounty Policy or email us at [email protected].

Don't use another user's account

You can do cross-account testing, but only access accounts that you own/control.

Use the testnet for all testing purposes

The mainnet is for production use and should not be used for testing.

Don't publicly disclose a bug before it's fixed

Exposing a bug or vulnerability before Hedera is able to remediate could directly harm the Hedera network and the community, and will result in not receiving a reward for the bug's discovery.

Don't impact other users with your testing

This includes testing for vulnerabilities by impacting an account you do not own.

Never attempt non-technical attacks

Social engineering, phishing, or physical attacks against Hedera employees, users, or the network infrastructure is not allowed.

Detailed reports with reproducible steps

If the provided report is not detailed enough to reproduce the issue, then the issue will not be eligible for a reward.

One vulnerability per report

Unless you need to chain vulnerabilities to provide impact.

We don't award duplicate reports

We only award the first report that was received (provided that it can be fully reproduced).

One reward for vulnerabilities

Only a single bounty will be rewarded for underlying issues causing multiple vulnerabilities.

Hedera Improvement Proposals

Have a suggestion or feature request? The Hedera Improvement Proposal (HIP) program is the place to do it. HIPs can range from core protocol changes, to the applications, frameworks, and protocols built on top of the Hedera public network and used by the community. Get started by visiting the HIP repository.

Submit a report

Send an email with a description of your findings to earn rewards

Report a bug