Help Us Make Polkadot More Secure!

Our Bug Bounty Program enables us to recognize and reward active community members for helping us identify and fix significant bugs. We do so in accordance with the terms and conditions set out below.

Send your submission using the Submissions Form. Reports must be submitted directly only through our official submissions form. Do not host your report on external websites and provide a link to it; doing so will result in immediate disqualification.

What's In Scope?

If you've found a potential bug in the Polkadot SDK, Runtimes, or the associated build and deployment infrastructure, we want to hear from you! Parity welcomes vulnerability reports that demonstrate security flaws in:

• Polkadot SDK: implementation-related issues only. Any bugs that can be used to bring down or take control of Polkadot and Kusama chains without direct access to host machines, including bugs in pallets and primitives.

• Runtimes: Any bugs that compromise the intended behavior of the various blockchain runtimes (Kusama, Polkadot, etc.) in the Polkadot Fellowship.

• Parity Releases Pipeline: any bugs that could be used to enable an attacker to inject malicious code into our distributed binaries, or be used to halt Parity's release process, or add malicious/unintended functions to the released binaries.

• Production infrastructure: publicly available infrastructure. Please note that this does not include our publicly available web pages.

• Polkadot-JS: only apps, extensions, and common repositories.

Please note that where the scope of this program includes third-party code, we are not legally or otherwise responsible for that code, its security, quality, or your rights in respect of that code.

Before submitting, please ensure your report does not duplicate any currently open issues or mitigations on the project repository; failure to do so will normally result in immediate rejection. Additionally, if during the review process we find that the vulnerability is already known internally, the submission may not be eligible for a reward. We have put these measures in place to maintain the integrity of the program and prevent the misuse of existing or internal information.

Exclusions: What's NOT in Scope

Did you find a bug in our open source blockchain code or related infrastructure? Great! Please tell us about it!

Most other things are not in scope, though. Specifically:

• Static or dynamic websites (hosted behind parity.io, polkadot.network, and Polkadot SDK.io (sub)domains, etc.), until you can find a way to compromise the data on the website for all of the visitors.

• Codebases included in other Bug Bounty programs, for e.g. Snowbridge, Hyperbridge, Parachains, etc...

• Projects like Frontier, Polkadot API (PAPI), Novasama Wallets, and ink!.

• Bugs that have already been submitted by another reporter, are already known to the Parity team, or have already been publicly disclosed.

• Bugs in third-party tools and services we're using (but we would be glad to connect you with the security team of the corresponding project).

• Parity Technologies' development team, Parity Technologies' employees, and any other person employed or providing services in any way to Parity Technologies' group, directly or indirectly, are not eligible for rewards. Social engineering attacks are also excluded.

• Anything that contravenes the spirit or letter of this program.

Be Nice and So Will We!

Responsible investigation and reporting include, but are not limited to, the following:

1. Use your best effort not to access, modify, delete, or store user data or Parity's data. Instead, use your own accounts or test accounts for security research purposes.

2. Don't defraud, harm, or violate the privacy of Parity Technologies, Polkadot, or its users during your research; you should make a good faith effort not to interrupt or degrade on-chain services.

3. Don't target our physical security measures or attempt to use social engineering, spam, or distributed denial-of-service (DDoS) attacks.

4. Initially, report the bug only to us and not to anyone else. Keep the details of any suspected bug confidential.

5. After reporting a suspected bug, give us a reasonable amount of time to fix it before disclosing it to anyone else, and seek our approval before doing so. An uncoordinated public disclosure may lead to your submission being disqualified from the Program (consequently, leaving you without any payout or recognition from Parity's side).

6. Don't make repeat submissions of low-quality, rejected, or automated vulnerability reports. In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort to avoid being disruptive or harmful to on-chain users or us.

7. In exceptional circumstances, we may ask you to assist us in protecting the ecosystem by signing an NDA regarding the discovered vulnerability.

8. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.

Is My Bug Eligible?

We evaluate submissions based on impact, and the following helps us respond more quickly  to your submission:

1. Please provide us with a working proof-of-concept or equivalent evidence, assuming that your research didn't produce unrecoverable changes. This helps us evaluate whether your submission is within the program's scope and can be reproduced in potential attacks.

2. Please do not break our (or anyone else's) stuff. If you suspect that the bug you have found may be fatal for what you are testing against, please DO NOT take further actions. Instead, please describe your assumptions in as much detail as possible in the submission. Parity's Security team will investigate and submit a higher bounty if it has a greater impact than you were able to determine without first breaking our stuff. 

3. In the report, please include your vision of the potential impact and potential attack scenario, including any required attack conditions. If your submission requires special or unrealistic conditions or must be chained with other attacks that have such conditions to execute, it will unfortunately be out of scope for this program.

4. If there is no impact, then we aren't really too interested. Purely theoretical findings are sometimes entertaining to investigate, so feel free to send us any, but if there's no way they can be used to break our systems in practice, the findings won't be eligible for a reward.

5. If you are able to compromise something significant, please STOP at the point of recognition, collect enough small evidence to understand where you are and what you can do, and report the vulnerability to us. This is particularly important if, after discovering the initial vulnerability, your continued research is likely to look much more like an attack than research. At that point, we might find the vulnerability before you tell us, which would render your discovery ineligible for a reward.

6. Play by the rules, which includes complying with the spirit and letter of this program as well as any other applicable laws or agreements.

7. We will pay bounties for vulnerabilities in third-party libraries (for instance, libp2p) incorporated into shipped client code utilized by Parity if both of the following two conditions are met:

8. The bug leads to an exploitable vulnerability in the Polkadot and Kusama networks in particular, and

9. is not actively maintained by another commercial entity with a separate bug bounty program.

10. You must not have written the buggy code or otherwise been involved in contributing the buggy code to the Parity project.

11. If you inadvertently access, modify, delete, or store data, we ask that you notify Parity immediately and permanently delete any stored user data thereafter.

We reserve the right to disqualify individuals from the Program if they threaten to withhold the security issue from us, threaten to release the vulnerability or any exposed data to the public or any third party, or otherwise act in a malicious, disrespectful, or disruptive manner. To the extent that you propose a fix that includes code, we will ask you to sign our standard contributor license agreement for that fix so we can deploy it going forward.

How We Pay You

• Bug Bounty Program rewards are at the sole discretion of Parity Technologies.

• You must be old enough to be eligible to participate in and receive payment from this Program in your jurisdiction, or otherwise qualify to receive payment, whether through consent from your parent or guardian or some other way.

• We might be prevented by law from paying you. For example, if you happen to live in a country or you personally appear on a sanctions list that applies to us. In this case, if where reasonably possible, we would be happy to make an equivalent donation to an established charity of your choice as an alternative.

• Duplicate submissions made within 24 hours of each other will split the bounty between reporters.

• Each bug will only be eligible for a reward once.

• To receive a reward, bounty-eligible bug hunters must first complete mandatory identity and DOT address verifications. Any information provided by individuals as part of this process will only be shared with Parity's Operations and Finance teams.

What Our Lawyers Want You to Know

The Parity Bug Bounty Program is a discretionary rewards program for our active community, encouraging and rewarding those who help improve the systems we build. It is not a competition. We may cancel the Program at any time, and rewards are awarded at the sole discretion of Parity's Security Team. All Bug Bounty awards are subject to compliance with local laws, rules, and regulations. We are unable to issue rewards to individuals on sanctions lists or to those in countries subject to sanctions. You are responsible for all taxes payable in connection with the receipt of any rewards. All rewards are subject to the laws of England and Wales. Finally, your testing must not violate any law or compromise any data or funds that are not yours.

Parity strongly supports and encourages security research into the Polkadot SDK and Polkadot. If you conduct genuine, in-scope, bug-hunting research in good faith and in accordance with this policy, we will consider your actions to be legitimate and will not seek prosecution. But for the avoidance of doubt, this does not give you permission to act in any manner that is inconsistent with applicable law or might cause Parity to be in breach of any of its legal obligations.

We understand that many Parity systems and services are interconnected with third-party systems and services. While we can authorize your research on Parity's systems and services, we cannot authorize efforts on third-party products or their response to your efforts.

Privacy

As part of receiving a bounty from Parity's Bug Bounty Program, you will need to share personal data with us, including your name, email address, ID information, photos, and a blockchain address. Parity Technologies is committed to protecting and respecting your privacy. To understand how Parity uses your personal data, please see our privacy policy.

This program is governed by and construed in accordance with the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it.