Bug Bounty Programs

Tip

Looking for comprehensive information on setting up, managing, and operating a bug bounty program? Please refer to the Smart Contract Security Field Guide's bug bounty guide. This resource provides in-depth, up-to-date knowledge and strategies that are paramount for running a successful bug bounty program.

Over the course of time Ethereum security has evolved to include different flavours of bug bounty programs which will be detailed below:

Bug Bounty Platforms

The first category are bug bounty platforms wherein a development team submits their project to a platform that either manages the programme for them or simply lists their project for exposure and reach toward interested security researchers. These platforms are further divided by type. The first are web3 native platforms hosting the majority of smart contract and frontend bug bounty programmes you'll find and the second are traditional platforms hosting majorly programmes with the frontend of centralized exchanges in scope. Finally, there are bounty collaboration platforms where developers are paid to code and implement new features or smart contracts.

Web3 native platforms:

• Immunefi
• HackenProof

Traditional platforms:

• HackerOne
• Bugcrowd

Bounty collaboration platforms:

• Gitcoin

Crowd-sourced Security Solutions

In response to the high demand and low supply for professional smart contract security review firms, a few crowd sourced solutions have emerged to solve the issue. They all employ a bug bounty-esque model hence inclusion on this list. They call them "audit contests" with freelance security researchers scrambling to find and report vulnerabilities within a set time period i.e two weeks with payouts only being issued for successful findings. Examples are listed below:

• Code4rena

Project Managed Bounties

The final category for now consists of bug bounty programmes that are directly managed by the project team itself and are often focused on smart contracts in their scope whether that's contributing to their features or breaking them.

Issues and PRs are welcome to add new bounties, or remove those which are no longer active.

• Airswap
• Ethereum Foundation: Has a large scope, including clients, Solidity and Vyper, and more.
• Etherscan.io
• ImmutableSoft
• 0xProject
• Parity: Includes client and contract code