Details

At Hiro, we are dedicated to building developer tools for the Stacks blockchain, which enables apps and smart contracts on Bitcoin.

Ensuring the safety and security of our products is of utmost importance to us. We highly value the contributions of external security researchers and appreciate their invaluable efforts in enhancing the security of the Stacks ecosystem.

If you have discovered a bug or vulnerability in any of our products, we encourage you to report it to us. We will work closely with you to investigate and resolve the issue promptly.

Rewards

We offer rewards based on the severity of the bugs you discover. The following table outlines the reward ranges for different bug severities:

Severity	Reward
Low severity bugs	$50+
Medium severity bugs	$150+
High severity bugs	$300+
Critical severity bugs	$600+

Please note that these are just general guidelines, and actual rewards will be determined based on the severity and impact of the reported vulnerabilities.

We will process and reward bounties promptly after triage.

Scope

The following Hiro products and repositories are in scope for the bug bounty program:

Stacks Explorer: Observability tool for the Stacks Blockchain. GitHub repository
Hiro Platform: A web app that aims to bring all our tools under one DX. (Closed-source project)
Stacks Blockchain API: Stacks public REST API GitHub repository
Chainhooks: Indexing engine that helps developers extract on-chain data.
Clarinet: CLI tool that facilitates writing, testing, integrating, and deploying Clarity smart contracts. GitHub repository
Clarity VSCode Extension: Provides validation, syntax highlighting, code completion, and debugging for Clarity smart contracts. GitHub repository
Stacks.js: JavaScript SDK for apps on Stacks. GitHub repository
Stacks Subnets: Layer-2 scaling solution in the Stacks blockchain.
Ordinals Explorer: Observability tool for the Ordinals protocol. GitHub repository
Ordinals API: Ordinals REST API

Out of scope

The following items are considered out of scope for the Hiro bug bounty program:

Stacks Blockchain: For issues related to the Stacks blockchain, please report them through the Stacks Blockchain Bounty Program.
Ordinals Protocol: The Hiro bug bounty program does not cover reports related to the Ordinals protocol nor Hiro's Ordinals Explorer.
Bitcoin: Reports related to the Bitcoin blockchain are also out of scope for the Hiro bug bounty program.
Stacks Wallet for desktop: (macOS, Windows, or Linux) GitHub repository
Stacks Wallet for the web: (Chrome, Brave, or Firefox) GitHub repository

Disclosure Policy

We kindly request that you adhere to the following guidelines when participating in our program:

Upon discovering a potential security issue, please notify us as soon as possible, and after the investigation and thorough evaluation, we will make every effort to resolve the issue promptly.
Please provide us with a reasonable amount of time to investigate and address the issue before disclosing it to the public or any third party. Our team is available Monday to Friday and will make a best effort to meet the following SLAs for hackers participating in our program:
- First Response: 2 business days
- Time to Triage: 7 business days
- Time to Resolution: will depend on severity and complexity
Make a good faith effort to avoid privacy violations, data destruction, and interruption or degradation of our services. Only interact with accounts you own or with explicit permission from the account holder.
We request that you refrain from engaging in activities such as:
- Denial of service attacks
- Spamming
- Social engineering (including phishing) targeting Hiro PBC staff or contractors
- or any physical attempts against Hiro PBC property or data centers.

Thank you for your valuable contributions to maintaining the security of Hiro and our users. We greatly appreciate your efforts in helping us create a safe and reliable Stacks ecosystem.

Rewards

We offer rewards based on the severity of the bugs you discover. The following table outlines the reward ranges for different bug severities:

Severity	Reward
Low severity bugs	$50+
Medium severity bugs	$150+
High severity bugs	$300+
Critical severity bugs	$600+

Please note that these are just general guidelines, and actual rewards will be determined based on the severity and impact of the reported vulnerabilities.

We will process and reward bounties promptly after triage.

Scope

The following Hiro products and repositories are in scope for the bug bounty program:

Stacks Explorer: Observability tool for the Stacks Blockchain. GitHub repository

Hiro Platform: A web app that aims to bring all our tools under one DX. (Closed-source project)

Stacks Blockchain API: Stacks public REST API GitHub repository

Chainhooks: Indexing engine that helps developers extract on-chain data.

Clarinet: CLI tool that facilitates writing, testing, integrating, and deploying Clarity smart contracts. GitHub repository

Clarity VSCode Extension: Provides validation, syntax highlighting, code completion, and debugging for Clarity smart contracts. GitHub repository

Stacks.js: JavaScript SDK for apps on Stacks. GitHub repository

Stacks Subnets: Layer-2 scaling solution in the Stacks blockchain.

Ordinals Explorer: Observability tool for the Ordinals protocol. GitHub repository

Ordinals API: Ordinals REST API

Out of scope

The following items are considered out of scope for the Hiro bug bounty program:

Stacks Blockchain: For issues related to the Stacks blockchain, please report them through the Stacks Blockchain Bounty Program.

Ordinals Protocol: The Hiro bug bounty program does not cover reports related to the Ordinals protocol nor Hiro's Ordinals Explorer.

Bitcoin: Reports related to the Bitcoin blockchain are also out of scope for the Hiro bug bounty program.

Stacks Wallet for desktop: (macOS, Windows, or Linux) GitHub repository

Stacks Wallet for the web: (Chrome, Brave, or Firefox) GitHub repository

Disclosure Policy

We kindly request that you adhere to the following guidelines when participating in our program:

Upon discovering a potential security issue, please notify us as soon as possible, and after the investigation and thorough evaluation, we will make every effort to resolve the issue promptly.

Please provide us with a reasonable amount of time to investigate and address the issue before disclosing it to the public or any third party. Our team is available Monday to Friday and will make a best effort to meet the following SLAs for hackers participating in our program:

First Response: 2 business days
Time to Triage: 7 business days
Time to Resolution: will depend on severity and complexity

Make a good faith effort to avoid privacy violations, data destruction, and interruption or degradation of our services. Only interact with accounts you own or with explicit permission from the account holder.

We request that you refrain from engaging in activities such as:

Denial of service attacks
Spamming
Social engineering (including phishing) targeting Hiro PBC staff or contractors
or any physical attempts against Hiro PBC property or data centers.

Thank you for your valuable contributions to maintaining the security of Hiro and our users. We greatly appreciate your efforts in helping us create a safe and reliable Stacks ecosystem.