Cosmos Stack Bug Bounty Program

Within the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams.

Our stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program is not the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.

The focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and do not include third-party services or IT assets.

Bounty rewards are based on multiple factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available here.

---

Program Rewards

While there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.

We evaluate each report and are responsible for rating the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.

Informational reports are not eligible for bounty rewards.

Rewards for eligible bugs are paid out according to issue severity:

• Critical: starting at $50,000
• High: starting at $25,000
• Medium: starting at $5,000
• Low: starting at $2,000

If duplicate reports are received, a bounty (if applicable) will be awarded to the first valid reporter.

When an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.

---

Coordinated Vulnerability Disclosure Policy

We are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.

This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.

For the most up-to-date version of this policy, please consult the HackerOne program page.

---

Our Commitments

When working with us under this policy, you can expect us to:

• Respond promptly and work with you to understand and validate reports
• Keep you informed about vulnerability status and progress
• Remediate valid vulnerabilities in a timely manner, within operational constraints
• Extend Safe Harbor for security research conducted in accordance with this policy

---

Our Expectations

When participating in this program in good faith, we ask that you:

• Follow this policy and all relevant agreements
• Report vulnerabilities promptly
• Avoid violating privacy, disrupting systems, destroying data, or harming user experience
• Use only Official Channels to discuss vulnerability information
• Allow at least 90 days from initial report before public disclosure
• Perform testing only on in-scope systems
• Limit data access strictly to what is required for proof of concept
• Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)
• Use only test accounts you own or have explicit permission to use
• Not engage in extortion or coercive behavior

Repeated submissions that do not meet program guidelines will result in a ban from the program.

Participants who violate these expectations may have their reports closed, deemed ineligible for bounty rewards, or be permanently banned from the program.

---

Program Scope

We are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.

Examples include (but are not limited to):

• Memory allocation and safety issues
• Race conditions and concurrency bugs
• Timing attacks
• Information leaks
• Authentication or authorization bypasses
• Incorrect block or state validation
• Trivial denial-of-service issues
• Lost writes or state corruption
• Business logic flaws
• Transactions or payloads that cause unhandled panics

Release Policy Requirement

Only released code is eligible for bounty rewards.

To be considered valid and in scope:

• The issue must exist in released code that is tagged and actively maintained under the Cosmos Release Family Policy
• Code that exists only on main, master, or other development branches is not in scope

The Release Family Policy is defined here:
https://github.com/cosmos/security/blob/main/POLICY.md

---

In Scope

1. The issue must be exploitable in an intended deployed environment and configuration.
2. Exploitation must not require a previously compromised environment (e.g., compromised node, majority-compromised consensus).
3. The issue must exist in a supported release according to the Release Family Policy.

---

Out of Scope

1. Issues requiring a compromised environment to exploit.
2. Assets not explicitly listed as in scope, including those not owned by participating teams.
3. Issues already publicly or privately addressed.
4. Third-party services and websites.
5. Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).
6. Documented configuration behaviors in expected deployment scenarios.
7. Governance misconfiguration-specific issues.
8. Package registry or dependency management issues without Cosmos-specific exploit PoCs.
9. Social engineering attacks.
10. Scanner-generated or informational-only reports.
11. Dependency vulnerability reports without demonstrated impact on in-scope systems.
12. Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.
13. Architectural critiques without immediate exploitability.
14. Issues fixed upstream less than 90 days prior.
15. Downstream effects of previously resolved bounty issues.
16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the x/group, x/circuit, x/crisis, and x/nft modules are no longer in scope.

---

A Note on Gaia

Gaia is included only as a reference implementation of the Cosmos Stack.

All Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are out of scope for bounty rewards.

---

Program Policies

All submissions must include a Proof of Concept demonstrating real-world impact and exploitability. The proof of concept must be code that can be read and run by the security team. Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as "Not Applicable".

• PoCs must demonstrate real user flows
• Mock-only or database-only calls are insufficient
• Reports without adequate detail may be closed or returned

Submissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.

To be eligible for consideration under our bug bounty program, researchers must meet the following criteria:

• Maintain a HackerOne reputation score above 150.
• Maintain a HackerOne signal above 1.
• Have a HackerOne profile that is at least 6 months old.
• If the researcher has previously submitted to our program, they must maintain a valid-to-closed report ratio above 50%.

Submissions from researchers who do not meet these requirements will be closed as Spam. Repeated submissions that fail to meet these criteria may result in removal from the program and/or a platform ban.

---

Eligibility for Bounty

To be eligible for a bounty reward:

• You must not have been employed by or contracted to the team maintaining the affected code within the last 12 months
• You must submit exclusively through HackerOne
• Email submissions are not eligible for bounty rewards

---

Confidentiality

All communication regarding submitted issues must occur exclusively on HackerOne.

External communication, out-of-band disclosures, or premature publication may void eligibility for bounty rewards and future participation.

---

Official Channels

• HackerOne: official vulnerability reporting platform
• Email (non-bounty): [email protected]

Email reports are accepted for disclosure purposes only and are not eligible for bounty rewards.

---

Disclosure

Public disclosure is supported only after an issue is marked Resolved on HackerOne.

Researchers may request attribution in advisories or release documentation once disclosure is approved.

---

Good Faith

Researchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, or false accusations—will result in report closure and permanent exclusion from the program.

---

Safe Harbor

Research conducted in accordance with this policy is considered:

• Authorized under applicable anti-hacking and anti-circumvention laws
• Exempt from relevant TOS/AUP restrictions
• Conducted lawfully and in good faith

Safe Harbor applies only to claims under the control of participating organizations.