Bug Bounty Program

Enhancing Network Security through Community Collaboration.

A call for developers and researchers to bolster the strength of the network by identifying potential vulnerabilities.

GithubFull Details

Get Rewarded for Your Work

Bounty rewards are determined by the severity and impact of each submission.

*For detailed examples and descriptions of the type of vulnerabilities that correspond to each severity level, head to the “Operational Resilience” section of the Coreum page at Certik

Assets in Scope

Coreum Source Code Blockchain/DTL

Coreum Website
Application/Web

Documentation
Application/Web

Explorer
Application/Web

Submission Requirements

Bug reports require a Proof of Concept (PoC) and steps to reproduce the vulnerability. Code is required as part of the PoC; written statements or explanations alone will not be accepted

All bug bounty hunters are required to complete KYC requirements if they submit a report and seek a reward. Valid ID checks and proof of residence will be required as part of the KYC process.

How to Submit a Bounty

  1. Register an account with Certik
  2. Click on “Submit a Bug” on the Coreum Operational Resilience page.
  3. You will be prompted to fill out a webform; follow the instructions and upon successful submission, you will receive an email confirmation with a reference ID.

Program Rules

Provide one vulnerability per report, unless a chain of vulnerabilities is needed to provide impact.

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

When duplicates occur, only the first report that can be fully reproduced will be awarded.

Avoid privacy violations, destruction of data, and interruption or degradation of services. Only interact with accounts you own or with the explicit permission of the account holder.

Prohibited Activities

Public disclosure of an unpatched vulnerability in an embargoed bounty.

Social engineering of any kind.

For a more in-depth overview of the program rules, please visit the CertiK website.

When duplicates occur, only the first report that can be fully reproduced will be awarded.

Testing with mainnet, testnet, and devnet.