ENS bug bounty program
The ENS bug bounty program rewards anyone who finds a bug in covered ENS smart contracts.
up to 250K
9 months ago
about the program
- Issues that have already been submitted by another user or are already known to the ENS team are not eligible for bounty rewards.
- Public disclosure of a vulnerability makes it ineligible for a bounty. This includes exploiting the bug on mainnet or any public test network.
- The ENS team, employees and all other people paid by ENS project, directly or indirectly, are not eligible for rewards.
- Only the smart contracts listed below are eligible for rewards. Websites and other infrastructure are not covered by the bounty program.
- The ENS bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the ENS team.
The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood
The ENS team reserves the right to adjust bounty amounts at any time in the future.
Where the contract in our GitHub repository differs from the one deployed on Ethereum, due to changes having been made since the last deployment, the following rules apply:
- If the bug exists in the contract deployed on Ethereum, the full bounty amount is payable.
- If the bug is only in the version on GitHub, the ENS team will decide at is discretion an appropriate proportion of the bounty to award based on the state of the code (from 0% for code that was never intended to be deployed, to 100% for code that is considered final).
In addition to Severity, other variables are also considered when the ENS team decides the score, including (but not limited to):
- Quality of description. Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
- Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.
The following smart contracts are covered by the bounty:
Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the ENS team
- Critical: up to $250,000
- High: up to $150,000
- Medium: up to $100,000
- Low: up to $20,000
- Note: up to $5,000
Submitting a Bug
Bugs should be submitted via email to firstname.lastname@example.org, or on Keybase to @arachnid