Security

Bug Bounty Program

Threshold Network has a Bug Bounty program with Immunefi.

The details for the Bug Bounty are maintained and updated at the Immunefi Threshold page. There you can explore the assets in scope of the Bounty and the different rewards by threat level. As a guide, the initial bounty program launched with the following rewards according to the severity of the threats found:

Smart Contracts

• Critical Level: USD $100,000 to USD $500,000

• High Level: USD $10,000 to USD $50,000

• Medium Level: USD $1,000 to USD $5,000

• Low Level: USD $1,000

Websites and Applications

• Critical Level: USD $10,000 to USD $25,000

• High Level: USD $1,000 to USD $10,000

• Medium Level: USD $1,000

A great place to begin your research is by working on our testnet. Please see our documentation to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and create a report using the immunefi dashboard for researchers.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. This is a simplified 4-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.

Reporting a Vulnerability Not Covered by the Bug Bounty Program

Please, verify the list of assets in-scope and out-of-scope available as part of the Threshold Bug Bounty details. Additionally, security researchers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. If you can demonstrate a critical impact on code in production for an asset not in scope, Threshold DAO encourages you to submit your bug report using the “primacy of impact exception” asset in Immunefi.

Threshold DAO will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings.

We also ask all researchers to please submit their reports in English.