Bug Bounty Program
Source: https://www.mintlayer.org/bug-bounty-program
Archived: 2026-04-23 17:11
Bug Bounty Program
Newsroom
In the Media
Blog
Event
Discover
Staking
Block Explorer
Wallet
ML Coin
Technology
Roadmap
Learning Center
About
Ecosystem
Documentation
ZK Thunder
Build
Download
Source Code
Bug Bounty Program
Get ML
Gate.io
Mexc.com
Bitmart.com
Poloniex.com
Bitget.com
English
English
Italian
Spanish
Russian
Vietnamese
Get ML
Bitget.com
Gate.io
Mexc.com
Bitmart.com
Poloniex.com
English
English
Italian
Spanish
Russian
Vietnamese
The Mintlayer bug bounty program
Mintlayer is happy to accept any kind of bugs, although currently, only valid security issues will be eligible for a bounty. Only the first report of any issue will be considered valid and the bug must not exist in any of our internal bug tracking systems or fixed in another branch of the code yet to be merged. All valid security issues will allow the reporter to be listed in our "bug finders list" in the project repo.
Email
[email protected]
or
[email protected]
for security issues. For secure submissions Enrico's PGP key can be found
here
. Non-security bugs can be sent to
[email protected]
or opened as issues on the repository.
We will endeavour to respond within 3 working days to verify we can replicate the issue or to ask for further information. The time until a fix is released will depend on the complexity and severity of the issue disclosed. The reporter may not publicly announce the issue until a patch has been released and without prior authorisation, any issue publicly announced without agreement will be considered ineligible for a reward.
Mintlayer bounties will be paid in ML mainnet coins and the bounties awarded will be up to 25,000 USD (paid in ML coins) and the value will depend on the severity of the issue and the difficulty of exploitation using the CVSS score and the opinion of the core development team.
Security issue ticklist:
The issue is valid in the latest code release, which has not since been fixed, or in the master branch on the repository.
This issue has not been previously reported by another bug bounty hunter or discovered internally
The bug has been reported responsibly
A bug is only valid if it is found on a network you have created yourself (you should create your own network by modifying the source code in our Code repository). A bug found attacking any Mintlayer run testnet or mainnet will be considered invalid.
In scope (Mintlayer core node, the Mojito browser extension, Mojito Mobile App and the Mintlayer core repo wallets):
Double spend attacks
Secure information leakage (secret keys or mnemonic phrases)
Transaction tampering
Changing amount of a transaction
Changing the token in the destination
Changing the destination of a transaction
Remote code execution
Contract or script tampering
Other issues will be judged on a case by case basis - email us if you have something you think should apply
Out of scope:
DOS/DDOS attacks
Usage of any Mintlayer mainnet or testnet
MITM attacks or attacks requiring physical access
Non-best practice SSL/TLS usage
*.mintlayer.org (that is not mentioned above)
Bugs in libraries used by Mintlayer that are not related to misuse in the Mintlayer code base
Bugs in libraries used by Mintlayer already publicly announced elsewhere
Any issue listed on Mintlayer's repository or known internally (there is a slight lag between an issue being known internally and being listed publicly)
Issues only affecting non-stable Mintlayer builds such as development builds
RCE without a proof of concept
Reports that use another’s account without consent
Publicly announced issues
Issues that directly impacted other users in the discovery or proving stages
Social engineering and phishing attacks
Reports without reproducible steps
Reports that cannot be reproduced
Newsroom
In the Media
Blog
Event
Discover
Staking
Block Explorer
Wallet
ML Coin
Technology
Roadmap
Learning Center
About
Ecosystem
Documentation
ZK Thunder
Build
Download
Source Code
Bug Bounty Program
Get ML
Gate.io
Mexc.com
Bitmart.com
Poloniex.com
Bitget.com
English
English
Italian
Spanish
Russian
Vietnamese
Get ML
Bitget.com
Gate.io
Mexc.com
Bitmart.com
Poloniex.com
English
English
Italian
Spanish
Russian
Vietnamese
The Mintlayer bug bounty program
Mintlayer is happy to accept any kind of bugs, although currently, only valid security issues will be eligible for a bounty. Only the first report of any issue will be considered valid and the bug must not exist in any of our internal bug tracking systems or fixed in another branch of the code yet to be merged. All valid security issues will allow the reporter to be listed in our "bug finders list" in the project repo.
[email protected]
or
[email protected]
for security issues. For secure submissions Enrico's PGP key can be found
here
. Non-security bugs can be sent to
[email protected]
or opened as issues on the repository.
We will endeavour to respond within 3 working days to verify we can replicate the issue or to ask for further information. The time until a fix is released will depend on the complexity and severity of the issue disclosed. The reporter may not publicly announce the issue until a patch has been released and without prior authorisation, any issue publicly announced without agreement will be considered ineligible for a reward.
Mintlayer bounties will be paid in ML mainnet coins and the bounties awarded will be up to 25,000 USD (paid in ML coins) and the value will depend on the severity of the issue and the difficulty of exploitation using the CVSS score and the opinion of the core development team.
Security issue ticklist:
The issue is valid in the latest code release, which has not since been fixed, or in the master branch on the repository.
This issue has not been previously reported by another bug bounty hunter or discovered internally
The bug has been reported responsibly
A bug is only valid if it is found on a network you have created yourself (you should create your own network by modifying the source code in our Code repository). A bug found attacking any Mintlayer run testnet or mainnet will be considered invalid.
In scope (Mintlayer core node, the Mojito browser extension, Mojito Mobile App and the Mintlayer core repo wallets):
Double spend attacks
Secure information leakage (secret keys or mnemonic phrases)
Transaction tampering
Changing amount of a transaction
Changing the token in the destination
Changing the destination of a transaction
Remote code execution
Contract or script tampering
Other issues will be judged on a case by case basis - email us if you have something you think should apply
Out of scope:
DOS/DDOS attacks
Usage of any Mintlayer mainnet or testnet
MITM attacks or attacks requiring physical access
Non-best practice SSL/TLS usage
*.mintlayer.org (that is not mentioned above)
Bugs in libraries used by Mintlayer that are not related to misuse in the Mintlayer code base
Bugs in libraries used by Mintlayer already publicly announced elsewhere
Any issue listed on Mintlayer's repository or known internally (there is a slight lag between an issue being known internally and being listed publicly)
Issues only affecting non-stable Mintlayer builds such as development builds
RCE without a proof of concept
Reports that use another’s account without consent
Publicly announced issues
Issues that directly impacted other users in the discovery or proving stages
Social engineering and phishing attacks
Reports without reproducible steps
Reports that cannot be reproduced