The Dash Core Group Bug Bounty Program allows developers to discover and resolve bugs before the general public is aware of such bugs, preventing incidents of widespread abuse. If you find a security vulnerability on any of the in-scope products mentioned below, please let us know right away by reporting it.
As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. If you prefer to submit via an encrypted email you can download the key above and email the details to infosec@dash.org.
The goal of the DCG Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users. Vulnerability submissions must meet certain criteria to be eligible for bounty rewards. Bounty rewards are based on a combination of priority and severity.
30 Points
Could cause a loss of funds
Without a device access
Private key exposure, recovery phrase exposure, pin code attack/bypass
20 Points
Prevents the use or receipt of funds
Without a device access
Cannot sync with the chain, persistent error when trying to send Dash, cannot receive a transaction that was successfully submitted to the network
Breach of privacy
With device access
Private key exposure, recovery phrase exposure, pin code attack/bypass, balance or transaction visibility without the required authentication
10 Points
Wallet balance and transactions
With device access
Incorrect balance, incomplete transaction history that is reproducible, cannot recover a valid wallet
30 Points Very likely to occur, can occur on every device model and in any localization with the latest OS version, does not require the installation of additional software on the device
20 Points Moderate likelihood to occur, can only occur on specific device models in any localization with any supported OS version or can occur on every device model in a specific localization with any supported OS version
10 Points Low likelihood of occurring, can occur on a specific device model or a specific localization with a specific OS version