
RGB Bug Bounty Program
Securing the protocol
through responsible disclosure
The RGB Bug Bounty Program rewards security researchers who responsibly disclose vulnerabilities in the RGB protocol implementation. Below is the framework under which the program operates when active.
Status
Program currently suspended
The RGB Bug Bounty Program is temporarily paused while the Association redefines its operational structure. The framework described on this page applies when the program is active. For urgent security disclosures while the program is suspended, please contact the Association directly.

01 — Eligibility
Eligibility & responsible disclosure
When active, working with the Association in good faith by following this responsible disclosure policy is required to be eligible for a reward and ensures no legal action will be taken against the researcher.

Report bugs only to the Association, and as fast as possible. Avoid sharing information with third parties until a fix is available. Submit reports to rgb.bugbounty@proton.me.

Do not violate the privacy of other users while investigating or demonstrating a vulnerability.

Exploit only what is needed to prove a security vulnerability, and promptly return any assets that may be obtained to their legitimate owners.

02 — Rewards policy
Rewards policy
Eligibility for rewards: vulnerabilities enabling inflation or double-spend attacks. Rewards are determined according to the severity and impact of the vulnerability, with the final payout reflecting the quality of the report and the usefulness of any remediation guidance or proof of concept (PoC) provided.
Severity categories
High
Inflation and double-spend vulnerabilities.
High-quality submissions that include a reliable test case or reproducible PoC will receive an increased payout. In particular, providing an executable test that clearly reproduces the issue grants an additional bonus of 10% on top of the base bounty.

03 — Scope & target
Scope & target
The main target of this bug bounty program is RGB consignment validation. Any attack involving a malicious consignment that goes undetected by an honest receiver is considered valid.
In order to prove a vulnerability, the researcher must provide either of:

A malicious consignment (or code that constructs such a consignment), together with a clear, detailed explanation of the elements that exploit the vulnerability; or

A test case that reproduces a scenario that could not occur without exploiting the vulnerability. Such submissions qualify for the additional payout described in the rewards policy above.

04 — Prize
Reward per vulnerability
The reward for each valid and demonstrated bug is set at the amount on the right per vulnerability, provided it meets the reproducibility and impact criteria described in this policy. Additional bonuses may be awarded at the discretion of the review team for exceptional submissions that include extensive technical analysis, testing frameworks, or verified mitigation proposals.
10,000
USD
per vulnerability

05 — Code reference
Submissions that reference, analyze, or exploit code outside of these repositories — including forks, unofficial implementations, outdated versions, or third-party projects — will not be considered eligible.
Important. Any submission not strictly based on the official repositories will be automatically rejected and will not qualify for a reward.

Resources
Additional reference
Researchers are expected to be familiar with the existing RGB codebase, tooling, and documentation before submitting disclosures.
Reference website
rgb.info →

Get in touch
Contact the Association
For security disclosures, programme inquiries, or general matters related to the RGB Bug Bounty Program, the Association welcomes direct conversations.
