Bug Bounty Program
Last updated
Was this helpful?
Last updated
Was this helpful?
Welcome to the Bug Bounty Program at Blockscout! Ensuring the safety of our platform is a top priority, and we greatly appreciate the crucial role security researchers play in contributing to open source. Should you identify a possible security vulnerability within our platform, we invite you to join our bug bounty program and share your findings.
Send us an email with the information below. We ask that you please keep your findings confidential during the reporting process. We will get back to you with our diagnosis or additional comments/questions as required. We may patch the vulnerability prior to our response to you, and will determine the risk level and possible payout on a case-by-case basis.
Description of the bug/vulnerability
Clearly describe the vulnerability you've discovered.
Steps to reproduce Outline the steps needed to replicate the vulnerability.
Impact analysis
Assess the potential impact of the vulnerability on users, developers, and the organization.
Code fix (optional) If possible and appropriate, you may include a suggested code fix for the vulnerability.
Type of vulnerability
Choose a label that best fits the category of the bug for classification purposes. This aids in rewards distribution and participation.
Additional Context
Provide any additional information that could help in understanding and resolving the issue.
Email your report Email your report to
Critical Risk: $1000 to $4000 in crypto equivalent based on severity.
High Risk: Up to $500 in crypto equivalent.
Moderate Risk: Up to $250 in crypto equivalent.
Low Risk: Up to $100 in crypto equivalent.
Security issue submission does not automatically qualify you for a bounty reward. Final determinations regarding risk severity, reward amounts, and payment schedules are made exclusively by the Blockscout team. For vulnerabilities found across multiple explorers, rewards are only issued for the first reported instance. Please review the general guidelines below for more information about our evaluation process.
Vulnerabilities in the following areas are eligible for bounty consideration.
Business logic bugs or problems
Remote code execution (RCE)
Database vulnerability, SQLi
File inclusions (Local & Remote)
Access Control Issues (IDOR, Privilege Escalation, etc)
Sensitive information leaks
Server-Side Request Forgery (SSRF)
Other vulnerability with a clear potential loss
Unless presenting a serious business risk (at our discretion), the following are typically not eligible for rewards:
Minor visual bugs, spelling errors, etc.
Social engineering tactics (e.g., phishing)
Issues in applications or systems not listed in the scope
UI/UX bugs, data entry errors, and typos
Network level Denial of Service (DoS/DDoS) vulnerabilities
Certificate/TLS/SSL issues
DNS configuration problems
Server configuration issues (open ports, TLS configurations, etc.)
Spam or social engineering techniques
Security flaws in third-party apps or services
Non-impactful XSS exploits
CSRF-XSS issues related to login/logout
Issues related to https/ssl or server-info disclosure
Mixed Content Scripts
Brute Force attacks
General best practices concerns
Recently disclosed 0day vulnerabilities
Username/email enumeration via error messages
Missing HTTP security headers
Weak password policies
HTML injection
Thank you for your help keeping vital public infrastructure like block explorers safe and secure!
If you are the first person to report the issue and we make a code or configuration change based on your findings, we will reward you with a bounty and mention (at your discretion) in our !
blackgrease: