Bug bounty (alternative)

Multichain encourages the community to review our code and security while we encourage responsible disclosure of any problems. We, therefore, roll out Bug Bounty Program (BBP) concurrently. The Program aims at recognizing the value of working with the community of independent security researchers and reflects our definition of credibility and your expectations to us in the process of identifying and reporting vulnerabilities. Through BBP, we encourage the discovery and reporting of any potential vulnerabilities in Multichain or possible vulnerabilities under new technologies in the future, so as to realize the long-term and continuous improvement and security enhancement of Multichain.


Multichain will provide considerable rewards for discovering and submitting vulnerabilities. The number of rewards is directly proportional to the severity and availability of vulnerabilities. Multichain will provide a reward of $500 to $1,000,000 for eligible discoveries under the terms provided below.


The main BBP scope includes the entire architecture of Multichain, as well as all currently deployed components, developer documents and listed assets and smart contract addresses. Smart contracts and applications built by third-party developers on the basis of Multichain are not included in the Program's reward scope. The BBP's scope also includes the potential vulnerabilities that have an impact on operations of https://multichain.org/ and provide liquidity.


Submit the vulnerabilities discovered to security@multichain.org. Or submit it online via the Zendesk on Multichain official website. The submitted content needs to include clear and concise steps, including the reproduction of vulnerabilities in written or video format. Multichain will follow up immediately after confirmation.

For the correction plan concurrently submitted, once it is confirmed to be effective and finally adopted, the developers will receive more rewards.


To win the Bug reward, you must:

  • Within the scope of Multichain BBP, identify and submit a previously undiscovered, non-public vulnerability.

  • Include adequate details in your disclosure to enable our engineers to quickly reproduce, understand and fix the vulnerability.

  • Report as an individual or, if employed by a company, submit the vulnerability with the written approval of the company.

  • Current or former employees of Multichain, vendors, contractors or employees of vendors and contractors will not be accepted.

  • Submissions inconsistent with the laws and regulations of the country where the submitter is located will not be accepted.

To encourage vulnerability research and avoid confusion between vulnerability submissions and malicious attacks, we ask you to:

  • Comply with the rules, including compliance with the terms and conditions of the Program and any other relevant agreement. In case of any contradiction between this procedure and any other relevant agreement, the terms of this procedure shall prevail.

  • Report any vulnerabilities you have discovered in a timely manner.

  • Avoid violating other's privacy, damaging our system, damaging data or damaging the user experience.

  • Please discuss vulnerabilities with us via security@multichain.org. Or submit it online via the Zendesk on Multichain official website.

  • Do not release and disclose details of any vulnerabilities identified to others until they are fixed.

  • Perform tests only on systems within the scope and respect systems and activities out of the scope.

  • Interact only with the account you own or with the explicit permission of the account holder.

  • Blackmail, extortion or any other illegal act must not be engaged.

When working with us under this Program, you can expect us to:

  • Provide big rewards to eligible discoveries according to the vulnerability severity and availability on Multichain.

  • Multichain will not file any legal proceedings against anyone who threatens or follows BBP.

  • Work with you to learn and validate your reporting, including prompt preliminary responses to submissions.

  • Repair the vulnerabilities discovered in a timely manner.

  • If you are the first person to report unique vulnerabilities and your reporting triggers code or configuration changes, please acknowledge your contribution to our security improvement.

All award decisions, including eligibility and payment amount, are at Multichain sole discretion. Multichain reserves the right to refuse to submit and change the terms and conditions of the Program.

Last updated