Bug Bounty Program

The Dash Core Group Bug Bounty Program allows developers to discover and resolve bugs before the general public is aware of such bugs, preventing incidents of widespread abuse. If you find a security vulnerability on any of the in-scope products mentioned below, please let us know right away by reporting it.

  • Mainnet
  • Dash Core Desktop Wallet
  • Dash Wallet Android
  • Dash Wallet iOS

Responsible Disclosure

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.  If you prefer to submit via an encrypted email you can download the key above and email the details to infosec@dash.org.

Eligibility Requirements for Individuals

  • You cannot have any contractual engagement with DCG
  • You cannot have any contractual engagement with the DIF
  • You cannot be an active Trust Protector
  • You cannot receive a bounty from the incubator for the same bug
  • You must provide basic KYC information (passport, local ID, etc.)
  • Recipients must provide a USD bank account or a Dash address at a major exchange
  • Residents / Citizens of OFAC restricted countries can report bugs but will not be eligible for a payout

Bounty Rewards

The goal of the DCG Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users. Vulnerability submissions must meet certain criteria to be eligible for bounty rewards. Bounty rewards are based on a combination of priority and severity.

  • Level 1 (60 Points) = $5,000
  • Level 2 (50 Points) = $2,000
  • Level 3 (40 Points) = $750
  • Level 4 (30 Points) = $200
  • Level 5 (20 Points) = $50
Priority
(High)
Priority
(Medium)
Priority
(Low)
Severity
(High)
60 points
50 points
40 points
Reward
$5,000
$2,000
$750
Severity
(Medium)
50 points
40 points
30 points
Reward
$2,000
$750
$200
Severity
(Low)
40 points
30 points
20 points
Reward
$750
$200
$50

ELIGIBLE

  • Identify a vulnerability that was not previously reported to, or otherwise known by, DCG
  • Such vulnerability must be reproducible in one of the in-scope products by DCG
  • Include clear, concise, and reproducible steps, either in writing or in video format
    • Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue

INELIGIBLE

  • Vulnerabilities that require root/jailbreak access to exploit unless the root/jailbreak is initiated by the attacker after gaining physical access to the device
  • Third-party libraries that are not owned by DCG
High severity image

Severity High

30 Points Could cause a loss of funds
Without a device access

Private key exposure, recovery phrase exposure, pin code attack/bypass

Medium severity image

Severity Medium

20 Points Prevents the use or receipt of funds
Without a device access

Cannot sync with the chain, persistent error when trying to send Dash, cannot receive a transaction that was successfully submitted to the network

Breach of privacy
With device access

Private key exposure, recovery phrase exposure, pin code attack/bypass, balance or transaction visibility without the required authentication

Low severity image

Severity Low

10 Points

Wallet balance and transactions
With device access Incorrect balance, incomplete transaction history that is reproducible, cannot recover a valid wallet


 

Low priority image

Priority High

30 Points Very likely to occur, can occur on every device model and in any localization with the latest OS version, does not require the installation of additional software on the device

Medium priority image

Priority Medium

20 Points Moderate likelihood to occur, can only occur on specific device models in any localization with any supported OS version or can occur on every device model in a specific localization with any supported OS version

Low priority image

Priority Low

10 Points Low likelihood of occurring, can occur on a specific device model or a specific localization with a specific OS version

Bounty Payments

  • Awards will be paid in Dash based on the current USD price at the date/time of the original submission
    • Dash amounts are based on the volume-weighted average USD price published at messari.io
  • Payouts will not cover any banking/transfer fees
  • DCG will make any final decisions regarding severity and priority scoring