As many of you already know, Wormhole hosts two of the largest bug bounty programs in existence, with top-end payouts of $10,000,000 USDC for the most critical of bug classes. You can find more details about those programs here.
A topic of regular discussion among Wormhole project contributors is how the program can be made better. The contributor base truly understands the strategic value that bug bounty programs have in complementing the Wormhole security program. We also have the opportunity to work with some of the best white-hacker hackers in the world, so we asked them…
What is the most important change you’d like to see to the bug bounty program? And oddly enough, the signal was crystal clear…
“Offer a pre-release bounty program that makes scopes available before mainnet”
When you run a bug bounty program, you need to define what specific items are in scope. And up to this point, the only in-scope areas for Wormhole have been smart contracts and guardian code deployed for mainnet. So the ask essentially is to have this new functionality available within the bug bounty before this code is fully deployed for mainnet.
We wanted to highlight some of the benefits this would have to various stakeholders of Wormhole:
- Wormhole Project: This allows the finding and fixing of bugs before they hit mainnet, making it significantly easier to patch these bugs in the open, without additional governance effort, and without additional stress.
- Wormhole User: This allows users to understand that Wormhole is pulling out all the stops to lower the likelihood of being affected by a bug in mainnet, but providing financial incentives to a broader community than would be reachable organically.
- Wormhole White-Hat Hackers: This allows white-hat hackers the first crack at these bugs before they are battle-tested in mainnet. This ensures that white-hat hackers can be part of the security story earlier (“shifting-left”), reducing user harm potential, and still receiving a healthy reward as if they found the bug in mainnet.
As the incentives are well aligned, we are announcing today the launch of the Wormhole Bug Bounty Pre-Release program. This program aims to maintain the same reward structure as if a bug was found on mainnet, but with additional benefits of bugs being discovered before they are deployed on mainnet.
The following new chain integrations are now added as pre-release bug bounty scopes and are available for white-hat hackers to start claiming bounties today:
- Wormhole Aptos Smart Contracts (pre-release)
- Wormhole Algorand Smart Contracts (pre-release)
We’re excited about this new chapter in the evolution of the Wormhole bug bounty program and look forward to all parties involved reaping the benefits mentioned above. We’re also really open to new and innovative ways to push the bounty program forward, so if you have feedback, please reach out to a community manager on Discord -OR- find and report a bug and let us know!
Until next time, happy hacking, and thank you all for your contributions to keeping Wormhole safe and secure!