Dfinity Vulnerability Disclosure Program

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 8
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program

58 total

Our company recognizes the importance of security, privacy and community, and values the input of hackers acting in good-faith to help us maintain a high standard for our users. This includes encouraging responsible vulnerability research and the disclosure of security vulnerabilities.

This bug bounty program focuses on the Internet Computer Protocol and core Internet Computer components and canisters.


  1. Ensure that the potential security bug you are reporting is in scope as specified in the Scope & Targets section below
  2. Please treat the report as confidential until the respective teams have a chance to fix the issue. Public disclosure of the vulnerability without abiding by this policy makes it ineligible for rewards
  3. Do not engage in social engineering techniques or spear-phishing campaigns
  4. Bugs in third-party code are strictly excluded from the scope.
  5. Duplicate reports and closely related submissions will be dealt with on a case-by-case basis. If the submissions are determined to be genuine they may be rewarded based on a lower rewards scale

Rewards Payment Process

1.First, obtain an ICP wallet address. You may use any valid ICP wallet address that best fits your needs and convenience. Below are some custody option examples that you can choose from to obtain a KYCed ICP wallet address.

NNS dapp
- Learn how to get started or view a more technical walkthrough.

- Follow step-by-step instructions to set up self-custody via Keysmith.

2.Once your ICP wallet address is ready, reply to this email and send the email address you plan to associate your account with before starting the KYC process. The provided email address will be whitelisted on the KYC website (~3 working days).

3.You will receive an email notification once your email has been whitelisted. Submit your KYC application on the KYC DFINITY page by clicking on ‘Other’ and entering the email address you provided to receive a unique link to begin the verification process. The KYC will be performed by a 3rd party and all information that the DFINITY Foundation receives is the email address and the ICP address.

Make sure at every stage of the onboarding process that your wallet address and associated email address are entered correctly to avoid any delay. As a reminder, DFINITY is not responsible for your asset custody nor will it be held accountable for any loss of your ICP distributed to you in the ICP wallet address you have provided.

If you have any questions regarding your KYC application or obtaining your ICP wallet address, please contact DFINITY Support.


Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.