The Moonbeam bug bounty program is focused on the Moonriver and Moonbeam Parachains (deployed to Kusama and Polkadot respectively) and dapps. It is focused on preventing:
Moonbeam/Moonriver:
- Thefts and freezing of principal of any amount
- Thefts and freezing of unclaimed yield of any amount
- Theft of governance funds
- Governance activity disruption
- Network shutdown
Website and Apps:
- Website goes down
- Leak of user data
- Deletion of user data
- Access to sensitive pages without authorization
https://immunefi.com/bounty/moonbeamnetwork/
Blockchain and EVM/Precompiles
| Level | |
|---|---|
| Critical | up to USD $1,000,000 |
| High | USD $75,000 |
| Medium | USD $20,000 |
| Low | USD $5,000 |
Website and Apps*
| Level | |
|---|---|
| Critical* | USD $15,000 |
| High | USD $7,500 |
| Medium | USD $2,500 |
| Low | USD $1,000 |
* All web/app bug reports must come with a Proof of Concept (PoC) in order to be considered for a reward.
At the discretion of the team, a PoC may be required in order to determine if the bug exists, and if necessary, to calculate the extent of the damage the bug could have if exploited.
Critical vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum of USD 75 000 for Critical bug reports.
The Moonbeam Foundation requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is an ID scan along with a selfie to verify identity.
Payouts are handled by the Moonbeam Foundation team directly and are denominated in USD. However, payouts are done in USDT or USDC.