Bug bounty


Important: We only accept bug reports for “bitmarkd” project. Bug reports for web application (i.e. Webapp), Android, or iOS App will not be accepted and given any reward.

Bitmark strives to make the Bitmark system safe and secure for everyone. We greatly value the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.

We offer rewards in Bitcoin:

1 BTC 0.5 BTC 0.2 BTC 0.1 BTC 0.01 BTC

Latest bug updates

2018.11.14: Congratulations to bughunterboy for finding bugs and earning rewards!
2018.10.11: Join our Bug Bounty Program and earn rewards now!

How to report a bug


Bitmarkd is the codebase for the Bitmark blockchain.

Bug scope Only bugs in Scope are eligible for the bug bounty
A qualifying bug has to be a danger to the blockchain records, privacy or client operations.
These include bugs in:

  1. Protocol: Flaws in Protocol design, an example is incentive design flaw in Paper
  2. Implementation of client: Any implementation bugs in Bitmarkd to cause bad block, invalid assets, transaction failure bad operations, or crashing of the program.
  3. Cryptography: Incorrectly implementation of Cryptographic algorithms.
  4. Network Attacks: Attacks like Sybil attack.
  5. Any bugs that we consider important.

Restrict online low-bandwidth attack to these two nodes only

Bugs in third party packages may or may not be rewarded by Bitmark. In theory, you should claim the bug(s) directly with the third party bounty program; however, we may also reward you for your effort.

Bugs out of scope include:

  • Physical access to a user’s device
  • Social engineering
  • MITM attacks
  • DDoS / Fuzzing / High-Bandwidth Attack


Collect rewards

Rewards are considered according to the impact and severity of vulnerability, relation to scope and quality of report.

  • Only unknown and first submitted bug is considered eligible for a reward.
  • Critical: key leaks
  • High: invalid block or corrupted database is high (at least high)
  • If the bug does not fit into the Critical or High criteria as defined above, it will be considered Medium, Low or Note
  • Detailed proof of concept has to be presented when claiming a Critical or High bug

Disclosure policy

Please discussed with us before disclosure of your finding bugs. Bitmark will endeavor to respond to reports within 2-3 business days and will make every effort to quickly address reported vulnerabilities. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you give us at least 90 days from the time of your report to correct the issue before you make the reported vulnerability public.

CONTACT USwith questions regarding Bitmark network security.


Read our governance policy. Or view the Bitmark Github repo if you are interested in contributing code.