Algorand was founded by cryptography pioneer and Turing award winner, Silvio Micali, to solve the “blockchain trilemma” with a platform that delivers decentralization, scalability and security. Algorand provides a foundation for existing businesses and new projects to operate globally in the emerging decentralized economy. Algorand’s first-of-its-kind, permissionless, pure proof-of-stake protocol supports the scale, open participation, and transaction finality required to build systems for billions of users.
Algorand invites you to test and help secure our innovative decentralized protocol. We appreciate your efforts and hard work in making the internet (and Algorand) more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
You will test Algorand's protocol nodes, SDKs and their integration with TestNet, our primary testing location for the Algorand blockchain, by running your own instances using the hosted repositories found in the target section. Comprehensive documentation for each target can be found below and within each repository.
For the initial prioritization/rating of findings, a summary of the submission types accepted and their severity rating has been provided under this brief. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Please note these will be the only vulnerability categories rewarded for this program. No other submission types will be reviewed nor rewarded. Non-applicable submission types will be marked as such.
- Any methods of Remote Code Execution (RCE) on an Algorand node
- Any methods of double spending, stealing, deleting/burning or creating Algos
- Any methods to create two or more valid blocks for the same around (Forking)
- Any methods which can lead to private key compromise
- Any security bug or issue in the cryptography relating (Non-third party) to key generations, signing and verification
- Any methods to censor transactions or eclipse nodes for the purpose of participation in consensus
- Any Permanent Denial of Service (unable to progress with consensus protocol) to an Algorand node
- Any Denial of Service (unable to progress with consensus protocol) to an Algorand node
- Any Denial of Service (termination of the process) to an Algorand node
- Any bug which allows an attacker to show corrupt information to a consumer of an API (does not need to necessarily corrupt any vital state)
Please test the latest released versions of each project available. Only the newest released package is in scope.
|Technical severity||Reward range|
|p1 Critical||$2,100 - $2,500|
|p2 Severe||$1,200 - $1,500|
|p3 Moderate||$500 - $750|
|p4 Low||$125 - $200|
Out of scope
Testing is only authorized on the target listed as In-Scope. Any domain/property of Algorand not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
Out Of Scope:
Credentials and API keys identified in github history without a demonstrated impact will be considered low impact or out of scope for this program
Algorand considers Social Engineering attacks against Algorand employees a violation of Program Policies. Researchers engaging in Social Engineering attacks against Algorand employees will be banned from the Algorand Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via firstname.lastname@example.org before going any further.
We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.
The current Bug Bounty Program as described on this page is v1.0 of our Bug Bounty Program. We anticipate the need to improve it over time and appreciate any feedback you may have on what we can do better.