Bug Bounty
PAL can provide reimbursement for bug bounty programs run by chains built on Polkadot-SDK which are secured by Polkadot.
The Bug Bounty Reimbursement Program supports projects running effective bug bounty programs, ensuring vulnerabilities across the Polkadot ecosystem are discovered, fixed, and disclosed responsibly.
Final decision on reimbursement amount (or denial) is made by PAL curators.
Bug Bounty Autonomy
- Projects must fully manage their bounty programs (creation, announcements, reward disbursements).
- PAL may offer guidance but does not run bounties on behalf of projects.
- PAL will never interfere with any bug bounty program.
Funding
Parachain projects that apply to any of PAL's funding programs can receive a combined total of up to $100,000 every 6 months.
Through the Bug Bounty Reimbursement Program, PAL can reimburse up to 50% of the total whitehat payout (platform fees excluded), with a yearly cap of $80,000 per project, per calendar year. The maximum payout per reported vulnerability depends on the severity classification per the following table:
| # Severity | Max Payout |
|---|---|
| Critical | Up to $ 50,000 |
| High | Up to $ 25,000 |
| Medium | No reimbursement |
| Low | No reimbursement |
In addition, reimbursement amounts consider potential cross-project or systemic risks, bug bounty report quality, timeliness of patching the vulnerability and responsible disclosure with affected projects and stakeholders.
All funding is paid out in DOT using the 30-day DOT EMA price.
Final decision on reimbursement amount (or denial) is made by PAL curators.
Eligibility Criteria
To be eligible to the Bug Bounty Reimbursement Program, applications need to satisfy all the following criteria:
- The vulnerability reported relates to Rust code that is part of the Runtime of a Polkadot-SDK chain or its node host.
- The applicant team is a Polkadot-SDK chain producing blocks on the Polkadot Network secured by Polkadot.
- The requested amount is, at most, the maximum defined in the table above.
- The code is open source.
- The bug must have been reported after December 1st, 2024 (included)
- Teams must submit the application form no later than 3 months after payment.
- The applicant agrees that PAL will make the audit report public (once the team has addressed any open issues).
- After the team pays a bounty to the bounty reporter (whitehat), and optionally after the vulnerability is fixed, deployed, and ready for disclosure, the project is required to submit through the onboarding form:
- A bounty report detailing the vulnerability, severity, and resolution.
- Evidence of whitehat payments (receipts, transaction IDs, etc.).
- If a discovered vulnerability may affect other projects, PAL may request a private disclosure phase before public release. Reimbursement applications that fail to meet these two criteria are automatically discarded by PAL curators.
Application
Follow the steps below to apply for Bug Bounty Reimbursement Program:
- Ensure you fulfill the Eligibility Criteria.
- Join the PAL Discord - this is where all communication takes place.
- Submit your funding application using our Application Form at the top of this page.
The usual processing time of applications is 1-2 weeks. We will keep you updated on a dedicated Discord channel.