Grants & Funding
The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.
Responsible Disclosure
Our development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.
Programs
The Stellar Development Foundation has partnered with these trusted bug bounty platforms to ensure reports are handled in a fair and timely manner. The payout models vary based on the severity/impact. Please refer to the payout structures supported on Immunefi and HackerOne terms.
Please refer to Immunefi's point classification system here.
There are two Immunefi bounties supported by the Stellar Development Foundation.
Stellar Bounty
Identify vulnerabilities related to Stellar network or Soroban smart contract core tech.
Stellar Contracts OpenZeppelin Bounty
Identify vulnerabilities related to OpenZeppelin developer tooling and contract standards.
Identify vulnerabilities in the Stellar network web applications and domains.
Generally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar network could be eligible for an award. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for an award.
In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:
In general, the following would not meet the threshold for severity:
Severity
The severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.
Eligibility
The Stellar Development Foundation (“SDF”) Research and Development (“R&D”) Grants Committee will only consider bounty submissions that meet the following eligibility criteria, so please read through these guidelines prior to submitting materials to the SDF Bounty Program.
1.1 The Bounty Program is only open to: (a) Eligible Individuals, as defined in Section 1.3 below; (b) teams of Eligible Individuals (“Teams”); and (c) organizations (e.g., corporations, limited liability companies, partnerships, and other corporate entities) that consist of Eligible Individuals and that are duly organized or incorporated and in good standing at the time of submission (“Organizations”). Eligible Individuals, Teams, and Organizations are collectively referred to herein as “Participants.”
1.2 When a Team or Organization submits materials to the Bounty Program, they should authorize a single Eligible Individual (a “Representative”) to represent, act, and prepare the submission on their behalf. By entering a submission on behalf of a Team or Organization, you are representing that you are authorized to act on behalf of such Team or Organization.
1.3 An “Eligible Individual” is a natural person who:
1.4 Applicable law and our internal policies restrict SDF from providing XLM awards to certain categories of projects. The following types of projects will not be considered for the Bounty Program (or any XLM award in connection therewith):
If you are unsure whether your submission or project falls into one or more of these categories, please contact us at [email protected] to discuss.
1.5 SDF complies with all applicable laws and regulations in the distribution of XLM awards. If your bounty submission is selected for the Bounty Program, you, your Team or your Organization (as applicable) will be required to complete certain compliance checks and submit certain tax forms to facilitate the receipt of any XLM award under the Bounty Program. Failure to submit appropriate documentation or failure to pass the required compliance checks may result in your disqualification from consideration. SDF is under no obligation to make any XLM awards if there are no eligible submissions or eligible Participants or if Participants do not successfully complete and comply with all necessary compliance and tax obligations.
1.6 To determine the number of XLM equal to the USD value of any award, the USD valuation of XLM shall be calculated using the CF Stellar Lumens-Dollar Settlement Price as administered, maintained, and reported by the cryptocurrency index provider CF Benchmarks Ltd. (using the ticker “XLMUSD_RR”) (available at https://www.cfbenchmarks.com/indices/XLMUSD_RR), or, if such settlement price is unavailable the settlement price as reported on a substantially similar and equally reputable cryptocurrency index provider selection by SDF in its reasonable discretion. The USD valuation of XLM for any particular award shall be calculated using the CF Stellar Lumens-Dollar Settlement Price (or equivalent) reported on the day such award is scheduled to be distributed. Participants acknowledge and understand that XLM is a highly risky and volatile asset, and that SDF does not provide any representations, warranties, or guarantees of its value.
1.7 Participants should inform themselves as to any legal and tax requirements or consequences applicable to them in respect of the acquisition, holding, and disposition of XLM. Participants are responsible for reporting the receipt of any XLM award to relevant government departments or agencies where applicable and paying all applicable taxes in their jurisdiction of residence (federal, state/provincial/territorial and local). SDF RESERVES THE RIGHT TO WITHHOLD A PORTION OF ANY XLM AWARD AMOUNT TO COMPLY WITH THE TAX LAWS OF THE UNITED STATES OR OTHER SDF JURISDICTION, OR THOSE OF A PARTICIPANT’S JURISDICTION.
2.1 SDF reserves the right, in its sole discretion, to cancel, suspend or modify the Bounty Program or any of these eligibility criteria for any reason. To the fullest extent permitted by law, any amendment will become effective at the time specified in the posting or, if no time is specified, the time of posting.
2.2 The Bounty Program is governed by the SDF Terms of Service and these Eligibility Guidelines. If there is any conflict or inconsistency between the Terms of Service and these Eligibility Guidelines, these Eligibility Guidelines will prevail.
2.3 SDF’s failure to enforce any term of these Eligibility Guidelines shall not constitute a waiver of that provision. Should any provision of these Eligibility Guidelines be or become illegal or unenforceable in any jurisdiction whose laws or regulations may apply, such illegality or unenforceability shall leave the remainder of these Eligibility Guidelines, to the fullest extent permitted by law, unaffected and valid. The illegal or unenforceable provision shall be replaced by a valid and enforceable provision that comes closest and best reflects the SDF’s intention in a legal and enforceable manner.
2.4 SDF may collect personal information in connection with a Bounty Program submission. Such information is subject to the SDF Privacy Policy.
If you have any questions about the Bounty Program or your eligibility under these guidelines, please email [email protected].