Program Overview

About this program

Jupiter is Solana’s leading DEX aggregator and onchain trading platform, providing a broad suite of products including perpetuals, lending, governance, and more, alongside web and mobile applications. As Jupiter’s attack surface spans both blockchain programs and traditional web infrastructure, this bug bounty program is separated into two parallel tracks — Web3 and Web2 — each with distinct assets, impacts, rewards, and rules.

Rewards are reserved for vulnerabilities that materially threaten user funds, protocol solvency, governance integrity, or user data. Theoretical issues and deviations from best practice are out of scope.

Eligibility

You are eligible to participate if you:

Are not a current or former employee, contractor, or any affiliated entity within the past 24 months
Are not on any government sanctions list and do not reside in an OFAC-sanctioned jurisdiction
Are the first researcher to report the issue
Comply with the guidelines and rules below

Reporting Guidelines

Please provide all the evidence and proof of concept (POC) exclusively on this platform. Refrain from uploading POCs on any third-party services, such as Google Drive, Github, YouTube, etc.

Reports must include a valid proof of concept (PoC) that allows our team to reliably reproduce the vulnerability.
For Web3 vulnerabilities, accepted PoCs include:
- A working Solana Program test demonstrating successful exploitation
- A reproducible exploit against a localnet using tools such as Surfpool, LiteSVM, or equivalent custom testing environments
For Web2 vulnerabilities, accepted PoCs may include reproducible Python, JavaScript, Bash scripts, or equivalent tooling demonstrating the issue.
Reports must contain clear reproduction steps, required prerequisites, attack assumptions, and an explanation of the security impact.
Any exploit scenario that requires social engineering, phishing, impersonation, or tricking users or employees into performing unintended actions is out of scope.
For vulnerabilities involving personally identifiable information (PII), clearly specify the type of data exposed and minimize the amount of sensitive data included in the report. Sensitive information should be redacted or truncated whenever possible.

Research Guidelines

Scope & Authorization

Test only within the defined scope.
Interact only with accounts, wallets, or assets you own.
Smart contract testing must use a local mainnet fork or equivalent isolated environment. Live mainnet exploitation is prohibited.

Testing Conduct

Testing must be safe, controlled, and non-disruptive to production systems and users.
Cap requests at ~5/second. Avoid traffic patterns that could degrade availability.
No automated scanners, fuzzers, or crawlers that generate significant load. Manual testing is preferred.
If you encounter sensitive data or active exploitation risk, stop immediately and report it.

Prohibited Activities

DoS/DDoS, spam, or volumetric attacks.
Social engineering of any kind (phishing, vishing, smishing, pretexting, impersonation).
Physical attacks against Jupiter property, personnel, or infrastructure.
Accessing, modifying, or retaining other users' data or accounts.
Testing third-party services Jupiter does not own.

Data Handling

If you inadvertently access sensitive data (PII, passwords, emails, private keys, etc.): stop, do not retain or share it, and disclose in your report.
Collect only the minimum data needed to prove the issue.

Reward Policy

Duplicates: only the first valid, reproducible submission is rewarded.
Final reward amounts are at the Jupiter security team's discretion.

Legal & Disclosure

Do not share vulnerability details with third parties without written permission.
Good-faith research under these guidelines will not be subject to legal action. Violations fall outside this safe harbor.

About this program

Eligibility

You are eligible to participate if you:

Are not a current or former employee, contractor, or any affiliated entity within the past 24 months

Are not on any government sanctions list and do not reside in an OFAC-sanctioned jurisdiction

Are the first researcher to report the issue

Comply with the guidelines and rules below

Reporting Guidelines

Please provide all the evidence and proof of concept (POC) exclusively on this platform. Refrain from uploading POCs on any third-party services, such as Google Drive, Github, YouTube, etc.

Reports must include a valid proof of concept (PoC) that allows our team to reliably reproduce the vulnerability.

For Web3 vulnerabilities, accepted PoCs include:

A working Solana Program test demonstrating successful exploitation
A reproducible exploit against a localnet using tools such as Surfpool, LiteSVM, or equivalent custom testing environments

For Web2 vulnerabilities, accepted PoCs may include reproducible Python, JavaScript, Bash scripts, or equivalent tooling demonstrating the issue.

Reports must contain clear reproduction steps, required prerequisites, attack assumptions, and an explanation of the security impact.

Any exploit scenario that requires social engineering, phishing, impersonation, or tricking users or employees into performing unintended actions is out of scope.

For vulnerabilities involving personally identifiable information (PII), clearly specify the type of data exposed and minimize the amount of sensitive data included in the report. Sensitive information should be redacted or truncated whenever possible.

Testing Conduct

Testing must be safe, controlled, and non-disruptive to production systems and users.

Cap requests at ~5/second. Avoid traffic patterns that could degrade availability.

No automated scanners, fuzzers, or crawlers that generate significant load. Manual testing is preferred.

If you encounter sensitive data or active exploitation risk, stop immediately and report it.

Prohibited Activities

DoS/DDoS, spam, or volumetric attacks.

Social engineering of any kind (phishing, vishing, smishing, pretexting, impersonation).

Physical attacks against Jupiter property, personnel, or infrastructure.

Accessing, modifying, or retaining other users' data or accounts.

Testing third-party services Jupiter does not own.