RGB Protocol Association
Loading RGB Protocol Association

RGB Bug Bounty Program

Help us secure the RGB protocol ecosystem by responsibly disclosing security vulnerabilities. Earn rewards for your contributions to making RGB safer for everyone.

Eligibility & Responsible Disclosure

Working with us in good faith by following our responsible disclosure policy is required to be eligible for a reward and ensures no legal action will be taken against you:

  • Only report bugs to us and as fast as possible, avoid sharing information with third parties until a fix is available
  • Please do not violate the privacy of other users
  • Exploit only what is needed to prove a security vulnerability and promptly return any assets that may be obtained to their legitimate owners

Rewards Policy

Eligibility for rewards: vulnerabilities enabling inflation or double-spend attacks

Rewards are determined according to the severity and impact of the vulnerability, with the final payout reflecting the quality of the report and the usefulness of any remediation guidance or proof of concept (PoC) provided.

Severity categories currently include:

  • High: Inflation and double-spend vulnerabilities.

High-quality submissions that include a reliable test case or reproducible PoC will receive an increased payout. In particular, providing an executable test that clearly reproduces the issue grants an additional percentage bonus of 10% on top of the base bounty.

Scope & Target

The main target of this bug bounty program is RGB consignment validation. Any attack involving a malicious consignment that goes undetected by an honest receiver is considered valid. In order to prove a vulnerability you must provide either of:

  • A malicious consignment (or code that constructs such a consignment), together with a clear, detailed explanation of the elements that exploit the vulnerability; or
  • A test case that reproduces a scenario that could not occur without exploiting the vulnerability (such submissions qualify for the additional payout described above).

Prize

The reward for each valid and demonstrated bug is set at 10,000 USD per vulnerability, provided it meets the reproducibility and impact criteria described in this policy.

Additional bonuses may be awarded at the discretion of the review team for exceptional submissions that include extensive technical analysis, testing frameworks, or verified mitigation proposals.

Contacts

To submit a vulnerability report or discuss potential findings, please contact us at: