Program stats

9 vulnerabilities rewarded

Validation within 11 days
75% of submissions are accepted or rejected within 11 days

$300 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Dash is an experimental new digital currency that enables anonymous, instant payments to anyone, anywhere in the world. Dash uses peer-to-peer technology to operate with no central authority, managing transactions and issuing money are carried out collectively by the network.


This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Targets

Target Information

Dash Core

An open source software which enables the use of this currency and is the primary target of this bug bounty program located at https://github.com/dashpay/dash.

At this time focus should be placed on the version 12.2 branch of Dash Core: https://github.com/dashpay/dash/tree/v0.12.2.x

Access: There is a Dash testnet created specifically for software testing. Unlike mainnet, the DASH that exists on testnet has no real value, and since it's an entirely separate network, there is no risk to using the new and experimental software. The Dash team invites anybody who is interested to download the software and become active on testnet.

For more on the Dash testnet, visit:

Dash Wallet

Have your Dash always with you, in your pocket! You pay by quickly scanning a QR code. As a merchant, you receive payments reliably and instantly. Dash Wallet is the first mobile Dash app.

Access:
iOS: Here
Android: Here

Rewards:

Priority           Reward
P1 $5,000 - $10,000
P2 $1,000 - $5,000
P3 $500 - $1000
P4 $100 - $500

Vulnerabilities found in Dash Messaging will not be eligible for a monetary reward (Kudos only).

Dash Messaging

We would like researchers to focus their attention on user authentication. We need to know how an attacker might take over another user's account. We are also interested in ways that the system can be gamed.

Access: Researchers are welcome to create accounts on the live site at https://d-msg.com for testing purposes. If a researcher would like conduct tests with deposited funds, contact Dash Messaging support team and we will make arrangements - https://d-msg.com/D_MSG_support.

New users go through three phases that have escalating privileges:

  1. Guest user
  2. Registered user
  3. Confirmed user

Out-of-Scope

Any issues that have been reported will be out-of-scope: https://github.com/dashpay/dash/issues
https://www.dash.org

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.