Parity Bug Bounty Program

Program Overview

We work hard to make sure the systems we build are bug-free, but acknowledge that we might not catch them all. We call on our community and all bug bounty hunters to help identify bugs in the protocols and software. If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible.

Our Parity Bug Bounty Program allows us to recognise and reward members of the Parity community for helping us find and address significant bugs, in accordance with the terms of the Parity Bug Bounty Program set out below.

We want to remind all hunters that Parity’s main projects are blockchain-related source code (located in our Github repositories) and associated released binaries, and not websites or services in any form. This is the reason for our Bug Bounty Program covering only the former, and not the latter.

What's In Scope?

If you've found a potential bug in Substrate, Polkadot, or associated build and deployment infrastructure, then we want to hear from you!

Parity welcomes vulnerability reports that demonstrate security flaws in:

• Substrate - implementation-related issues only

Any bugs which can be used to bring down or take control of Substrate clients without direct access to the machine, including bugs in Substrate pallets and Substrate primitives.

• Smoldot

Any bugs which can be used to bring down or take control of Smoldot light clients without direct access to the machine

• Polkadot - implementation-related issues only

Client: Any bugs which can be used to bring down or take control of Parity Polkadot client without direct access to the machine.

Runtimes: Any bugs that compromise the intended behavior of the various Parity-built blockchain runtimes (Kusama, Polkadot, etc).

Parity releases pipeline: any bugs which could be used to enable an attacker to inject malicious code into our distributed binaries, or be used to halt Parity’s release process or add malicious/unintended functions to the released binaries.

Production infrastructure: publicly-available infrastructure Parity runs for production-grade networks (in contrast to testnets), especially parts which are critical for network’s well-being or safety of funds. Please note that this does not include our publicly available web pages that are static.

Cryptography code: any bugs relating to cryptography, encryption, decryption, and signing of messages (this includes account creation and recovery) in products, developed by Parity

Exclusions — What's NOT in Scope

Did you find a bug in our open source blockchain code or related infrastructure? Great! Tell us about it!

Most other things are not in scope, though. Specifically:

•    Static websits, until you can find a way to compromise the data on the website for all of the visitors.
•    Bugs which have already been submitted by another user or are already known to the Parity team or have already been publicly disclosed.
•    Bugs in third-party tools and services we’re using (but we would be glad to connect you with the security team of the corresponding project).
•    Parity Technologies’ development team, Parity Technology employees and any other person employed or providing services in any way to the company, directly or indirectly, are not eligible for rewards. Social engineering attacks are also here.
•    Anything that contravenes the spirit or letter of this Program.

See more details.