Mint and configure tokens and accounts.
Hedera works hard to ensure systems and software are bug-free but acknowledges that we may not catch them all. We welcome everyone to contribute to the Hedera network platform and services codebase, developer tools, website, and more by finding and submitting security vulnerabilities.
The entire Hedera ecosystem will benefit from the shared efforts in improving the robustness of Hedera software and security. We encourage responsible disclosure of security vulnerabilities via Hedera’s bounty program (“Bug Bounty Program”) described on this page.
Hedera is a decentralized public distributed ledger and governing body built from the ground up to support new and existing applications. Developers use Hedera's two primary network services — the Hedera Consensus and Token Services — atop the hashgraph consensus algorithm, to build applications with high throughput, fair ordering, and consensus finality in seconds, without relying on centralized infrastructure.
To get started on the Hedera testnet, visit Getting Started with Hedera in the official Hedera documentation.
The bounties or rewards listed next to each tier are a maximum for each tier. Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.
Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.
Hedera Services, Mirror Node, and SDKs Code In Scope
Hedera.com Web Assets In Scope
Reports will be accepted for Web Assets but are not eligible for bounty payout.
A valid submission is any in-scope report that clearly demonstrates a software vulnerability that harms the Hedera network and/or its users, as well as web assets found on Hedera-owned domains. A report must be in scope and meet the rules of engagement in order to qualify for a bounty. Hedera will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.
|Type of Response||SLA in business days|
|First Response||3 days|
|Time to Triage||7 days|
|Time to Bounty||10 days|
|Time to Resolution||Depends on severity and complexity|
We’ll try to keep you informed about our progress throughout the process.
Explore Hedera’s network services, domains, and developer tools to discover bugs and vulnerabilities. We ask that you follow these rules of engagement while testing and participating in the Bug Bounty Program:
Hedera will not initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, done in good faith. This includes accidental violations. We consider these activities consistent with the policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c).
Any researcher who circumvents the technological measures used to protect any assets found within scope will not be pursued with a DMCA claim. If a third party initiates legal action against you, and you have abided by the Bug Bounty Program Policy, we’ll make it known that your actions were within compliance of this policy.
If your security research involves any network, system, information, application, product, or service of another party that is not Hedera, that party is not bound by our pledge and may determine to pursue legal action. Security research on third-party entities cannot be and is not authorized by Hedera.
If your intended conduct is inconsistent with or unaddressed by this policy, please submit a HackerOne report before engaging in research activities. Please include a detailed description of your intended conduct. Hedera will determine whether it is consistent with the Bug Bounty Program policy and update the policy accordingly.
Thank you for helping keep Hedera Hashgraph and its users safe!
|Source code||Hedera Network Services Codebase|
|Source code||Hedera Mirror Node Codebase|
|Source code||Hedera Java SDK|
|Source code||Hedera Go SDK|
|Other||Hedera Testnet API Endpoints|
Testnet nodes belong to the test network and run the same code as the Hedera mainnet nodes: https://docs.hedera.com/guides/testnet/testnet-nodes
|Other||Testnet Mirror Node APIs|
|Other||Hedera Owned Domains & Subdomains*|
* Reports not eligible for bounty
Hedera Mainnet API Endpoints
|Other||Mainnet Mirror Node APIs|
|Other||Weak Password Policy|
Weak Password Policy for all services is not in-scope for the bug bounty program.
DMARC Policy for all services is not in-scope for the bug bounty program.
HSTS & CAA Configuration
|Other||Services Hosted by 3rd Party|
Example: shop.hedera.com, members.hedera.com, status.hedera.com, docs.hedera.com, netki.hedera.com, etc.