RGB Bug Bounty Program

Securing the protocol
through responsible disclosure

The RGB Bug Bounty Program rewards security researchers who responsibly disclose vulnerabilities in the RGB protocol implementation. Below is the framework under which the program operates when active.

Status

Program currently suspended

The RGB Bug Bounty Program is temporarily paused while the Association redefines its operational structure. The framework described on this page applies when the program is active. For urgent security disclosures while the program is suspended, please contact the Association directly.

Contact the Association for urgent disclosures →

01 — Eligibility

Eligibility & responsible disclosure

When active, working with the Association in good faith by following this responsible disclosure policy is required to be eligible for a reward and ensures no legal action will be taken against the researcher.

Report bugs only to the Association, and as fast as possible. Avoid sharing information with third parties until a fix is available. Submit reports to rgb.bugbounty@proton.me.

Do not violate the privacy of other users while investigating or demonstrating a vulnerability.

Exploit only what is needed to prove a security vulnerability, and promptly return any assets that may be obtained to their legitimate owners.

02 — Rewards policy

Rewards policy

Eligibility for rewards: vulnerabilities enabling inflation or double-spend attacks. Rewards are determined according to the severity and impact of the vulnerability, with the final payout reflecting the quality of the report and the usefulness of any remediation guidance or proof of concept (PoC) provided.

Severity categories

High

Inflation and double-spend vulnerabilities.

High-quality submissions that include a reliable test case or reproducible PoC will receive an increased payout. In particular, providing an executable test that clearly reproduces the issue grants an additional bonus of 10% on top of the base bounty.

03 — Scope & target

Scope & target

The main target of this bug bounty program is RGB consignment validation. Any attack involving a malicious consignment that goes undetected by an honest receiver is considered valid.

In order to prove a vulnerability, the researcher must provide either of:

malicious consignment (or code that constructs such a consignment), together with a clear, detailed explanation of the elements that exploit the vulnerability; or

test case that reproduces a scenario that could not occur without exploiting the vulnerability. Such submissions qualify for the additional payout described in the rewards policy above.

04 — Prize

Reward per vulnerability

The reward for each valid and demonstrated bug is set at the amount on the right per vulnerability, provided it meets the reproducibility and impact criteria described in this policy. Additional bonuses may be awarded at the discretion of the review team for exceptional submissions that include extensive technical analysis, testing frameworks, or verified mitigation proposals.

10,000

USD

per vulnerability

05 — Code reference

Code reference & scope clarification

All security research and vulnerability reports must be based exclusively on the official RGB Protocol repositories maintained under the following organization:

Submissions that reference, analyze, or exploit code outside of these repositories — including forks, unofficial implementations, outdated versions, or third-party projects — will not be considered eligible.

Important. Any submission not strictly based on the official repositories will be automatically rejected and will not qualify for a reward.

Resources

Additional reference

Researchers are expected to be familiar with the existing RGB codebase, tooling, and documentation before submitting disclosures.

Official RGB documentation

docs.rgb.info →

Reference website

rgb.info →

Get in touch

Contact the Association

For security disclosures, programme inquiries, or general matters related to the RGB Bug Bounty Program, the Association welcomes direct conversations.