Bug Bounty

Find a bug. Earn XE.

Help harden the protocol before genesis. Report vulnerabilities through GitHub and earn up to 10,000 XE per finding — paid out in native XE at mainnet launch.

Submit a Report → Reward Tiers xeprotocol/core
10,000 Max Reward (XE)
5 Severity Tiers
GitHub Submission Channel
Genesis Payout Date
Reward Tiers

Severity assigned by the XE core team based on impact, exploitability, and report quality. Amounts are targeted ceilings — exceptional findings may exceed them.

Critical
10,000 XE

Catastrophic protocol breaks. Unauthorised mint, double-spend, key recovery, or lattice compromise.

Severe
5,000 XE

Network-wide degradation, censorship, escrow bypass, signature forgery. Exploitable and damaging at scale.

High
2,500 XE

Targeted DoS, race conditions, replay attacks, privilege escalation in relay services.

Medium
1,000 XE

Validation gaps, fee mismatch, non-sensitive disclosure, inconsistent API responses.

Minor
100 XE

UI bugs, typos, broken explorer views, misleading log messages, documentation errors.

Bug Classes

Illustrative examples per tier. If you find something impactful that doesn't fit below, report it anyway.

Critical Consensus & supply integrity unauthorised mint · double spend · chain fork · quorum bypass 10,000 XE
Critical Cryptographic compromise key recovery · signature forgery · HSM escape · identity hijack 10,000 XE
Severe Escrow & lease manipulation escrow bypass · collateral drain · reward fraud · lease replay 5,000 XE
Severe Network-wide DoS & censorship node crash · swarm partition · tx censorship · liveness break 5,000 XE
Severe State chain corruption multisig bypass · governance hijack · invalid state 5,000 XE
High Targeted DoS & resource exhaustion memory leak · resource exhaustion · account lockout · RPC amplification 2,500 XE
High Race conditions & state transition bugs race condition · replay attack · state inconsistency · TOCTOU 2,500 XE
High Privilege escalation in relays sandbox escape · tenant isolation · privilege escalation 2,500 XE
Medium Validation & accounting edge cases fee mismatch · validation gap · API inconsistency · overflow 1,000 XE
Medium Information disclosure metadata leak · verbose error · debug exposure 1,000 XE
Minor UI/UX, docs & cosmetic layout · responsive · a11y · typo · broken link · log noise 100 XE
Leaderboard

Ranked by total XE awarded. Updates as reports are triaged.

Rank Researcher Reports XE Earned
No reports accepted yet. Submit a finding via GitHub to claim the top spot.

Rebuilds nightly from bounty-paid labels on xeprotocol/core.

How to Report

All reports go through GitHub Issues on xeprotocol/core. Public-by-default for transparency.

1
Reproduce against testnet

Verify on test.network. Capture tx hashes, block heights, exact reproduction steps.

2
Open issue with bug_bounty template

Apply bug-bounty label. Suggest a severity tier.

3
Include a clear PoC

Minimal reproduction script or test case. Impact analysis: who's affected, worst case.

4
Sensitive findings: encrypt first

Critical/Severe issues risking funds — email security@xe.network with PGP-encrypted summary first.

5
Triage & acceptance

Core team confirms, assigns severity, labels bounty-accepted. After fix: bounty-paid.

6
Payout at genesis

All bounties pay in native XE at mainnet launch. Provide a testnet-format address in the issue.

Scope

In Scope

  • Core node software in xeprotocol/core
  • Block lattice, consensus, state chain logic
  • XE and XUSD asset accounting
  • Lease, escrow, and emission flows
  • Wallet and CLI (xe) tooling
  • Embedded web UI and API
  • Testnet RPC endpoints at test.network
  • Hardware identity attestation paths

Out of Scope

  • Social engineering of XE staff or users
  • Physical attacks on hardware
  • Volumetric DDoS against testnet
  • Spam/rate-limit abuse without protocol impact
  • Third-party deps without XE-specific exploit
  • Marketing pages without functional impact
  • Self-XSS and missing headers without exploit
  • Issues requiring a compromised user device
Rules

Ready to break things?

Spin up an account on testnet, hammer the network, and tell us what falls over.

Submit a Report → View Repository security@xe.network