Bug bounty program - first draft

Max bounty for highest priority bug disclosure

  • Total voters
  • Poll closed .
Hi everyone.

This post contains the link to the first draf of the bug bounty program as created by the core committee. The idea is to promote sensible disclosure of sensitive issues in the Factom core components and at the same time promote people to start investigating.

Please provide your input on the current document.

One of the things is that we want to promote people to start investigating. Which means our bonus/bounty need to be high enough of course. Right now it is pretty low, so I created an informal poll as well to get a feeling for the amount we are willing to pay for the highest priority sensible bug disclosures.

The current draft: https://docs.google.com/document/d/...fRdhXtSbAvJu_jhqQ/edit#heading=h.se4l1p6wqssb

Everybody. Denomination above should read USD and not FCT!
Last edited:
My recommendation would be to offer between $500 - $1000 for critical bugs to begin with and reassess once the bug program is announced and live. We may find there are a lot of critical bugs which could be found within a very short space of time. If this happens we still need to be able to honor and payout for the bugs found. Once time passes we can slowly increase the bounty to make it worth it to spend more time finding more hidden bugs.

Are there any plans to release the bounty program beyond the forum? If we want to gain maximum reach we should post the bounty program on a site such as https://www.bugcrowd.com/
@Niels Klomp may Operators participate in bug bounty? I am not sure, that the bug bounty should compensate bugs, found by Operators and their employees. Your thoughts?
Yeah I get your point. On the other hand the amounts mentioned are max amounts. As the document makes it quite clear that it is up to the core committee to decide. In the end we want to make sure we have responsible disclosure of bugs and especially high impact bugs. That means the incentive needs to be there IMO. We are all best served if people find sensitive issues in the software and try to work with us to get it resolved. ANOs have a vested interest in the protocol obviously and ANOs that have colleagues that do core development should be excluded I guess. If the same should be true for other ANOs. Not sure about that and hope to hear other people's opinions.