BUG BOUNTY POLICY

Introduction

Hedera works hard to ensure systems and software are bug-free but acknowledges that we may not catch them all. We welcome everyone to contribute to the Hedera network platform and services codebase, developer tools, website, and more by finding and submitting security vulnerabilities.

The entire Hedera ecosystem will benefit from the shared efforts in improving the robustness of Hedera software and security. We encourage responsible disclosure of security vulnerabilities via Hedera’s bounty program (“Bug Bounty Program”) described on this page.

Installation & Setup

Hedera is a decentralized public distributed ledger and governing body built from the ground up to support new and existing applications. Developers use Hedera's two primary network services — the Hedera Consensus and Token Services — atop the hashgraph consensus algorithm, to build applications with high throughput, fair ordering, and consensus finality in seconds, without relying on centralized infrastructure.

Applications are developed using the easy-to-use Hedera API (HAPI) and officially supported / community-supported SDKs.

To get started on the Hedera testnet, visit Getting Started with Hedera in the official Hedera documentation.

Rewards & Tiers

The bounties or rewards listed next to each tier are a maximum for each tier. Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.

Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.

Hedera Services, Mirror Node, and SDKs Code In Scope

Hedera.com Web Assets In Scope

Response Targets

A valid submission is any in-scope report that clearly demonstrates a software vulnerability that harms the Hedera network and/or its users, as well as web assets found on Hedera-owned domains. A report must be in scope and meet the rules of engagement in order to qualify for a bounty. Hedera will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.

Type of ResponseSLA in business days
First Response3 days
Time to Triage7 days
Time to Bounty10 days
Time to ResolutionDepends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Program Rules

Explore Hedera’s network services, domains, and developer tools to discover bugs and vulnerabilities. We ask that you follow these rules of engagement while testing and participating in the Bug Bounty Program:

Disclosure Policy

Program Policies

Hedera will not initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, done in good faith. This includes accidental violations. We consider these activities consistent with the policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c).

Any researcher who circumvents the technological measures used to protect any assets found within scope will not be pursued with a DMCA claim. If a third party initiates legal action against you, and you have abided by the Bug Bounty Program Policy, we’ll make it known that your actions were within compliance of this policy.

If your security research involves any network, system, information, application, product, or service of another party that is not Hedera, that party is not bound by our pledge and may determine to pursue legal action. Security research on third-party entities cannot be and is not authorized by Hedera.

If your intended conduct is inconsistent with or unaddressed by this policy, please submit a HackerOne report before engaging in research activities. Please include a detailed description of your intended conduct. Hedera will determine whether it is consistent with the Bug Bounty Program policy and update the policy accordingly.

In order for security researchers to fully investigate potential security vulnerabilities, we believe it’s important to provide these assurances. It’s important to embrace the standardization of policy language that provides legal protection to security researchers. Hedera reserves the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time. The current Bug Bounty Program as described on this page is v1.0. The Bug Bounty Program is covered by Hedera’s Privacy Policy and Terms of Use.

Thank you for helping keep Hedera Hashgraph and its users safe!

In Scope

Source codeHedera Network Services Codebase
https://github.com/hashgraph/hedera-services
English, Java
Source codeHedera Mirror Node Codebase
https://github.com/hashgraph/hedera-mirror-node
Java


Source codeHedera Java SDK
https://github.com/hashgraph/hedera-sdk-java
Java


Source codeHedera Javascript SDK
https://github.com/hashgraph/hedera-sdk-js
JavaScript


Source codeHedera Go SDK
https://github.com/hashgraph/hedera-sdk-go
Go


OtherHedera Testnet API Endpoints
Testnet nodes belong to the test network and run the same code as the Hedera mainnet nodes: https://docs.hedera.com/guides/testnet/testnet-nodes


OtherTestnet Mirror Node APIs
https://testnet.mirrornode.hedera.com
https://hcs.testnet.mirrornode.hedera.com


OtherHedera Owned Domains & Subdomains
.hedera.com
.hederacouncil.org
.hedera.io
.hederahashgraph.com
.hashgraph.com

Out of Scope

Domain*.swirlds.com*
.swirlds.com is not in-scope for the bug bounty program.
Domainshop.hedera.com
shop.hedera.com is powered by shopify.com and is not in-scope for the bug bounty program.
Domainmembers.hedera.com
members.hedera.com is powered by causewaynow.com and is not in-scope for the bug bounty program.
Domainstatus.hedera.com
status.hedera.com is powered by statuspage.io and is not in-scope for the bug bounty program.
Domaindocs.hedera.com
docs.hedera.com is powered by gitbook.com and is not in-scope for the bug bounty program.
OtherHedera Mainnet API Endpoints
https://docs.hedera.com/guides/mainnet/mainnet-nodes#mainnet-node-address-book
OtherMainnet Mirror Node APIs
https://mainnet.mirrornode.hedera.com
https://hcs.mainnet.mirrornode.hedera.com
OtherWeak Password Policy
Weak Password Policy for all services is not in-scope for the bug bounty program.
OtherDMARC Policy
DMARC Policy for all services is not in-scope for the bug bounty program.