wormhole/ImmuneFi bug-bounty.md

# Wormhole Bug Bounty - ImmuneFi

The Wormhole bug bounty program is focused on the prevention of negative impacts to the Wormhole ecosystem, which currently covers our smart contracts, web UI, guardian nodes, and Wormhole integrations.

**The primary prevention focuses are as follows:**

* Exploits resulting in the locking, loss, or theft of user funds.

* General forging of unverified data, or validation of forged messages.

* Determinism bugs that could lead to inconsistent bridge states.

* Governance manipulation.

* Exposure of infrastructure private keys and/or PII.

* Vulnerabilities in the node operating software resulting in invalid behaviour.

* Remote code execution.

* Bugs that can facilitate Sybil attacks.


All web/app bug reports must come with a Proof of Concept in order to be considered for a reward. All smart contract and guardian node bug reports must come with log components, reproduction, and data about vulnerabilities to support learnings and bug fixes. This can be satisfied by providing relevant screenshots, docs, code, and steps to reproduce the issue.


**Further detail can be found here**: https://www.immunefi.com/bounty/wormhole


| **Smart Contracts**  |               |
| ------------- | ------------- |
| Critical  | Up to USD $10,000,000  |
| High      | USD $100,000  |
| Medium    | USD $10,000  |
| Low       | USD $2,500  |


| **Guardian Nodes (Blockchain/DLT)** |               |
| ------------- | ------------- |
| Critical  | Up to USD $10,000,000  |
| High      | USD $100,000  |
| Medium    | USD $5,000  |
| Low       | USD $2,000  |


| **Websites and Applications**  |               |
| ------------- | ------------- |
| Critical  | Up to USD $50,000  |
| High      | USD $10,000  |
| Medium    | USD $5,000  |
| Low       | USD $1,000  |


Payouts are handled by the Terraform Labs Ltd team directly and are denominated in **USD**; however, payouts will be made in **USDC**. Further information about TFL can be found here: https://www.terra.money/
Create ImmuneFi Bug Bounty.MD (#832) * Create ImmuneFi bug-bounty.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> 2022-02-11 13:38:52 -08:00			`# Wormhole Bug Bounty - ImmuneFi`

			`The Wormhole bug bounty program is focused on the prevention of negative impacts to the Wormhole ecosystem, which currently covers our smart contracts, web UI, guardian nodes, and Wormhole integrations.`

Update the bug bounty to $10m 2022-02-11 13:44:24 -08:00			`The primary prevention focuses are as follows:`
Create ImmuneFi Bug Bounty.MD (#832) * Create ImmuneFi bug-bounty.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> 2022-02-11 13:38:52 -08:00
			`* Exploits resulting in the locking, loss, or theft of user funds.`

			`* General forging of unverified data, or validation of forged messages.`

			`* Determinism bugs that could lead to inconsistent bridge states.`

			`* Governance manipulation.`

			`* Exposure of infrastructure private keys and/or PII.`

			`* Vulnerabilities in the node operating software resulting in invalid behaviour.`

			`* Remote code execution.`

			`* Bugs that can facilitate Sybil attacks.`




			`All web/app bug reports must come with a Proof of Concept in order to be considered for a reward. All smart contract and guardian node bug reports must come with log components, reproduction, and data about vulnerabilities to support learnings and bug fixes. This can be satisfied by providing relevant screenshots, docs, code, and steps to reproduce the issue.`



			`Further detail can be found here: https://www.immunefi.com/bounty/wormhole`




Update the bug bounty to $10m 2022-02-11 13:44:24 -08:00			`\| Smart Contracts \| \|`
Create ImmuneFi Bug Bounty.MD (#832) * Create ImmuneFi bug-bounty.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> 2022-02-11 13:38:52 -08:00			`\| ------------- \| ------------- \|`
Update the bug bounty to $10m 2022-02-11 13:44:24 -08:00			`\| Critical \| Up to USD $10,000,000 \|`
Create ImmuneFi Bug Bounty.MD (#832) * Create ImmuneFi bug-bounty.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> 2022-02-11 13:38:52 -08:00			`\| High \| USD $100,000 \|`
			`\| Medium \| USD $10,000 \|`
			`\| Low \| USD $2,500 \|`




Update the bug bounty to $10m 2022-02-11 13:44:24 -08:00			`\| Guardian Nodes (Blockchain/DLT) \| \|`
Create ImmuneFi Bug Bounty.MD (#832) * Create ImmuneFi bug-bounty.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> 2022-02-11 13:38:52 -08:00			`\| ------------- \| ------------- \|`
Update the bug bounty to $10m 2022-02-11 13:44:24 -08:00			`\| Critical \| Up to USD $10,000,000 \|`
Create ImmuneFi Bug Bounty.MD (#832) * Create ImmuneFi bug-bounty.md Co-authored-by: Jeff Schroeder <jeffschroeder@computer.org> 2022-02-11 13:38:52 -08:00			`\| High \| USD $100,000 \|`
			`\| Medium \| USD $5,000 \|`
			`\| Low \| USD $2,000 \|`




			`\| Websites and Applications \| \|`
			`\| ------------- \| ------------- \|`
			`\| Critical \| Up to USD $50,000 \|`
			`\| High \| USD $10,000 \|`
			`\| Medium \| USD $5,000 \|`
			`\| Low \| USD $1,000 \|`



			`Payouts are handled by the Terraform Labs Ltd team directly and are denominated in USD; however, payouts will be made in USDC. Further information about TFL can be found here: https://www.terra.money/`