Bug Bounty

Find a bug. Earn XE.

Help harden the protocol before genesis. Report vulnerabilities through GitHub and earn up to 10,000 XE per finding — paid out in native XE at mainnet launch.

Submit a Report →Reward Tiersxeprotocol/coresecurity@xe.network
10,000Max Reward (XE)
5Severity Tiers
GitHubSubmission Channel
GenesisPayout Date
PublicDisclosure
Reward Tiers

Severity assigned by the XE core team based on impact, exploitability, and report quality. Amounts are targeted ceilings — exceptional findings may exceed them.

Critical
10,000XE

Catastrophic protocol breaks. Unauthorised mint, double-spend, key recovery, or lattice compromise.

Severe
5,000XE

Network-wide degradation, censorship, escrow bypass, signature forgery. Exploitable and damaging at scale.

High
2,500XE

Targeted DoS, race conditions, replay attacks, privilege escalation in relay services.

Medium
1,000XE

Validation gaps, fee mismatch, non-sensitive disclosure, inconsistent API responses.

Minor
100XE

UI bugs, typos, broken explorer views, misleading log messages, documentation errors.

Bug Classes

Illustrative examples per tier. If you find something impactful that doesn't fit below, report it anyway.

SeverityClassExamplesReward
CriticalConsensus & supply integrityunauthorised mint · double spend · chain fork · quorum bypass10,000 XE
CriticalCryptographic compromisekey recovery · signature forgery · HSM escape · identity hijack10,000 XE
SevereEscrow & lease manipulationescrow bypass · collateral drain · reward fraud · lease replay5,000 XE
SevereNetwork-wide DoS & censorshipnode crash · swarm partition · tx censorship · liveness break5,000 XE
SevereState chain corruptionmultisig bypass · governance hijack · invalid state5,000 XE
HighTargeted DoS & resource exhaustionmemory leak · resource exhaustion · account lockout · RPC amplification2,500 XE
HighRace conditions & state transition bugsrace condition · replay attack · state inconsistency · TOCTOU2,500 XE
HighPrivilege escalation in relayssandbox escape · tenant isolation · privilege escalation2,500 XE
MediumValidation & accounting edge casesfee mismatch · validation gap · API inconsistency · overflow1,000 XE
MediumInformation disclosuremetadata leak · verbose error · debug exposure1,000 XE
MinorUI/UX, docs & cosmeticlayout · responsive · a11y · typo · broken link · log noise100 XE
Leaderboard

Ranked by total XE awarded. Updates as reports are triaged.

RankResearcherReportsXE Earned
No reports accepted yet.

Submit a finding via GitHub to claim the top spot.

Rebuilds nightly from bounty-paid labels on xeprotocol/core.

How to Report

All reports go through GitHub Issues on xeprotocol/core. Public-by-default for transparency.

  1. 01
    Reproduce against testnet

    Verify on test.network. Capture tx hashes, block heights, exact reproduction steps.

  2. 02
    Open issue with bug_bounty template

    Apply bug-bounty label. Suggest a severity tier.

  3. 03
    Include a clear PoC

    Minimal reproduction script or test case. Impact analysis: who's affected, worst case.

  4. 04
    Sensitive findings: encrypt first

    Critical/Severe issues risking funds — email security@xe.network with PGP-encrypted summary first.

  5. 05
    Triage & acceptance

    Core team confirms, assigns severity, labels bounty-accepted. After fix: bounty-paid.

  6. 06
    Payout at genesis

    All bounties pay in native XE at mainnet launch. Provide a testnet-format address in the issue.

Scope
In Scope
  • Core node software in xeprotocol/core
  • Block lattice, consensus, state chain logic
  • XE and XUSD asset accounting
  • Lease, escrow, and emission flows
  • Wallet and CLI (xe) tooling
  • Embedded web UI and API
  • Testnet RPC endpoints at test.network
  • Hardware identity attestation paths
Out of Scope
  • Social engineering of XE staff or users
  • Physical attacks on hardware
  • Volumetric DDoS against testnet
  • Spam/rate-limit abuse without protocol impact
  • Third-party deps without XE-specific exploit
  • Marketing pages without functional impact
  • Self-XSS and missing headers without exploit
  • Issues requiring a compromised user device
Rules

Ready to break things?

Spin up an account on testnet, hammer the network, and tell us what falls over.

Submit a Report →View Repositorysecurity@xe.network