Decred Bug Bounty - DropsEarn
Decred Bug Bounty

Decred Bug Bounty

    The Decred community welcomes security researchers and bug bounty hunters to find security vulnerabilities in its website and projects.

    Reward pool
    Not set
    Expected profit
    $100 - 25 000
    Max participants
    DropsEarn score

  • Activity Type: Bug bounty
  • Date: 21 Jan 2019 00:00(UTC+3) - 21 Jan 2021 00:00(UTC+3)
  • Registration: Open
  • Event status: You can participate (Event started, Registration open)
  • Links: Official Announcement
Go to event page

How To Submit Vulnerability

Follow a standard format when submitting vulnerabilities:

  1. Title:
  2. Affected website or repository:
  3. Vulnerability Type:
  4. Details:
  5. Impact of Vulnerability:
  6. Reproduction or POC details:
  7. Fix:

Email your bug report to

Always use the below PGP key to encrypt the email, and be sure to include your own PGP key so we can securely respond. Failure to do so will reduce payout amount.

Any supporting evidence (screenshots, videos, etc) should be attached to the email itself. Media files should be encrypted inside a .7z, .zip or .tar.gz file with a secure password that is included in the PGP encrypted email body. Hosting on external services may lead to disqualification.

Additional Information:


Decred ask that you respect the following rules and guidelines:

  • All bug reports need to have clear reproduction steps and/or proof of concept.
  • All bugs must be reproducible in the latest production release or the master branch of the code.
  • Bugs in old releases or feature branches are not in scope.
  • We prohibit denial of service attacks or network bandwidth load testing.
  • Unfortunately we are unable to pay for duplicate reports or reports of bugs which are already known.
  • Any type of public disclosure of the vulnerability without prior approval from the bug bounty program will make it ineligible for payout.
  • Do not attempt to directly contact the developers in order to obtain the status of a patch/fix.
  • No social engineering.
  • No spamming.
  • All Current/Past (for up-to 6 months) Decred contractors are barred from taking part in this bug bounty program.
  • Vulnerability reports made before the start of the program will not be eligible for a bounty.
  • Do not attempt to attack or test on mainnet - the main Decred network. There is a completely separate Decred testnetwhich is specifically created for software testing. Testing on the public testnet will prevent impact on mainnet and removes the risk of causing real financial damage. It is also possible to create your own personal simnet. Simnet runs on on your own local system, and has a low enough difficulty to mine blocks using only a CPU.


  • Almost all of Decred’s projects can be run locally and reproduction instruction are available on GitHub. We strongly recommend you to do this.
  • Always check the “issues” in GitHub of a project to avoid a duplicate report.
  • Decred project is not responsible for any loss of DCR due to bug testing.


Decred will be using the OWASP Risk Rating Methodology for assessing vulnerabilities and determining payout amount.

owasp risk rating table

Decred will also take into consideration the impact on the Decred ecosystem. An RCE in dcrweb (low impact) is not the same as an RCE in dcrd or Decrediton (higher impact).

The following are also factors in the payout:

  • Quality of the initial writeup.
  • Quality of vulnerability reproduction steps and/or proof of concept.
  • If you provide a code fix for the vulnerability then you will also be eligible for a “code fix” bonus on the condition that our existing developers accept it as valid.

All payouts will be in Decred only. Payouts are done in a single batch once a month. You will be required to create and operate a Decred wallet. The DCR to USD ratio is based on the the average USD rate of the previous month. Payout amount is decided by a core “bug bounty” group.

The payout amount will only be decided after the patch for the vulnerability has been merged. The submitter will then be contacted and given instructions on how to claim the bounty. The bounty hunter will be given one month to claim it after which the bounty will be considered forfeit.

Indicative payout amounts

Note: up to 300 USD

Low: up to 1,000 USD

Medium: up to 3,000 USD

High: up to 10,000 USD

Critical: up to 25,000 USD