A New Bug Bounty Program

Find Tari vulnerabilities for bounties up to $250,000 in XTR

When we updated our Responsible Disclosure policy last year, we did so with a very limited budget.

Members of the community were very quick to point out that the size of the rewards were not commensurate with the scale of the issues we were asking the community to help us find.

Now that 2024 has rolled in, and we’re in touching distance of the Minotari mainnet launch, we’re able to substantially increase the value of the rewards we’re offering; primarily in the form of Tari tokens.

🎉🎉🎉 Bounties up to $250,000 worth of XTR 🎉🎉🎉

Yes, for all intents and purposes, we’ll pay you a quarter mil in Minotari tokens ($XTR) for consensus-breaking bugs.

There are some Ts & Cs. The major ones are highlighted below, but you can skip all of this and go and read the full, updated Tari Security Policy if you feel like studying.

We are still offering cash rewards, but the lion’s share of the reward value will be coming from the token bounty allocation.

Get cracking!

Cash bounties

The payouts for cash bounties have actually gotten a slight boost. We have partnered with HackerOne for our new bounty program, and the payouts are as follows:

Token-based bounties

If you make use of the HackerOne program, we may issue a token reward in addition to the cash bounty. The token rewards are awarded according to the following schedule:

*As the Minotari price is unknown prior to launch, values are quoted in USD-equivalent terms at time of delivery. The bounties will be paid out in Minotari. For example, if the trading price of Minotari was $0.04, a medium-severity award of $10,000 would be converted to 250,000 Minotari tokens.

Terms and conditions apply

Here’s the stuff you all love, the fine print, grab your coffee and check out the details.

Tokens will be distributed after launch

So, firstly, the token rewards can only be paid once Minotari actually exists. Obviously. But we’d love to have any bugs that warrant the highest payout to be found before launch.

So we’re kicking off the bounty program now, and handing out IOUs for the tokens to be paid out a few months after launch. The delay is there to let the Minotari price stabilize for a period before issuing the awards.

The cash rewards are a little sweetener, in addition to the tokens, to compensate for the time delay between disclosure and token payout.

Cash rewards can only be claimed on HackerOne

We’re working with HackerOne to manage the bounty program. All the cash rewards will be paid out through that program, and you’ll need to register with HackerOne to claim them.

All cash rewards will be paid out through HackerOne, you’ll need to register with them to claim rewards.

If you find a bug but don’t want to register with HackerOne, you can still claim the token reward but will forego the cash bounty.

Non-critical, non-HackerOne disclosures will likely take much longer to triage, since these disclosures must be processed by the core developers, and they’re rather busy prepping for mainnet launch.

Read the full disclosure policy

You can read all the fine print, along with instructions on how to join the HackerOne bounty program in the Tari Security Policy document. Thank you for helping us make Tari more secure!

Join the community

Got more questions? Interested in chatting with Tari contributors? Join the Tari Discord or Telegram and we’d be happy to answer any questions you may have.

Also follow us on X (previously Twitter) to stay up to date on the latest (and greatest) of all things Tari.