Algorand

  • $125 – $2,500 per vulnerability
  • Up to $5,000 maximum reward
  • Safe harbor
  • Managed by Bugcrowd

Program stats

11 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$750 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Algorand was founded by cryptography pioneer and Turing award winner, Silvio Micali, to solve the “blockchain trilemma” with a platform that delivers decentralization, scalability and security. Algorand provides a foundation for existing businesses and new projects to operate globally in the emerging decentralized economy. Algorand’s first-of-its-kind, permissionless, pure proof-of-stake protocol supports the scale, open participation, and transaction finality required to build systems for billions of users.

Algorand invites you to test and help secure our innovative decentralized protocol. We appreciate your efforts and hard work in making the internet (and Algorand) more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


Target Information:

You will test Algorand's protocol nodes, SDKs and their integration with TestNet, our primary testing location for the Algorand blockchain, by running your own instances using the hosted repositories found in the target section. Comprehensive documentation for each target can be found below and within each repository.

Documentation:


Ratings/Rewards:

For the initial prioritization/rating of findings, a summary of the submission types accepted and their severity rating has been provided under this brief. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Vulnerability Categories:

Please note these will be the only vulnerability categories rewarded for this program. No other submission types will be reviewed nor rewarded. Non-applicable submission types will be marked as such.

P1 categories:

  • Any methods of Remote Code Execution (RCE) on an Algorand node
  • Any methods of double spending, stealing, deleting/burning or creating Algos
  • Any methods to create two or more valid blocks for the same around (Forking)
  • Any methods which can lead to private key compromise

P2 categories:

  • Any security bug or issue in the cryptography relating (Non-third party) to key generations, signing and verification

P3 categories:

  • Any methods to censor transactions or eclipse nodes for the purpose of participation in consensus
  • Any Permanent Denial of Service (unable to progress with consensus protocol) to an Algorand node

P4 categories:

  • Any Denial of Service (unable to progress with consensus protocol) to an Algorand node
  • Any Denial of Service (termination of the process) to an Algorand node

P5 categories:

  • Any bug which allows an attacker to show corrupt information to a consumer of an API (does not need to necessarily corrupt any vital state)

Please test the latest released versions of each project available. Only the newest released package is in scope.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.