Algorand

The Blockchain Powering The Borderless Economy

  • $125 – $2,500 per vulnerability
  • Up to $5,000 maximum reward
  • Safe harbor
  • Managed by Bugcrowd
Submit report

Program stats

3 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$812.50 average payout (last 3 months)

Latest hall of famers

View the hall

Recently joined this program

85 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Algorand was founded by cryptography pioneer and Turing award winner, Silvio Micali, to solve the “blockchain trilemma” with a platform that delivers decentralization, scalability and security. Algorand provides a foundation for existing businesses and new projects to operate globally in the emerging decentralized economy. Algorand’s first-of-its-kind, permissionless, pure proof-of-stake protocol supports the scale, open participation, and transaction finality required to build systems for billions of users.

Algorand invites you to test and help secure our innovative decentralized protocol. We appreciate your efforts and hard work in making the internet (and Algorand) more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

Ratings/Rewards:

For the initial prioritization/rating of findings, a summary of the submission types accepted and their severity rating has been provided under this brief. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Vulnerability Categories:

Please note these will be the only vulnerability categories rewarded for this program. No other submission types will be reviewed nor rewarded. Non-applicable submission types will be marked as such.

P1 categories:

  • Any methods of Remote Code Execution (RCE) on an Algorand node
  • Any methods of double spending, stealing, deleting/burning or creating Algos
  • Any methods to create two or more valid blocks for the same around (Forking)
  • Any methods which can lead to private key compromise

P2 categories:

  • Any security bug or issue in the cryptography relating (Non-third party) to key generations, signing and verification

P3 categories:

  • Any methods to censor transactions or eclipse nodes for the purpose of participation in consensus
  • Any Permanent Denial of Service (unable to progress with consensus protocol) to an Algorand node

P4 categories:

  • Any Denial of Service (unable to progress with consensus protocol) to an Algorand node
  • Any Denial of Service (termination of the process) to an Algorand node

P5 categories:

  • Any bug which allows an attacker to show corrupt information to a consumer of an API (does not need to necessarily corrupt any vital state)

Please test the latest released versions of each project available. Only the newest released package is in scope.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $2,100 - $2,500
p2 Severe $1,200 - $1,500
p3 Moderate $500 - $750
p4 Low $125 - $200
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
Algorand Node - https://github.com/algorand/go-algorand Other
Algorand JavaScript SDK - https://github.com/algorand/js-algorand-sdk Other
Algorand Java SDK - https://github.com/algorand/java-algorand-sdk Other
Algorand Golang SDK - https://github.com/algorand/go-algorand-sdk Other
Algorand Ledger App - https://github.com/algorand/ledger-app-algorand Other
Algorand TestNet Other

Out of scope

Target name Type
https://algorand.foundation/ Website
Hosting Infrastructure of TestNet (AWS, Kubernetes, Other Participants, etc) Other
Distributed denial of service Other
Algorand.com Website
Algorand.org Website
Algorand MainNet Other

Testing is only authorized on the target listed as In-Scope. Any domain/property of Algorand not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

Target Information:

You will test Algorand's protocol nodes, SDKs and their integration with TestNet, our primary testing location for the Algorand blockchain, by running your own instances using the hosted repositories found in the target section. Comprehensive documentation for each target can be found below and within each repository.

Documentation:

Out Of Scope:

Credentials and API keys identified in github history without a demonstrated impact will be considered low impact or out of scope for this program

Algorand considers Social Engineering attacks against Algorand employees a violation of Program Policies. Researchers engaging in Social Engineering attacks against Algorand employees will be banned from the Algorand Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Closing:

We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.

The current Bug Bounty Program as described on this page is v1.0 of our Bug Bounty Program. We anticipate the need to improve it over time and appreciate any feedback you may have on what we can do better.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.