QRL Primary Report, 2024

Read More

QRL Bug Bounty Program

Ready to report a bug? Visit the Security Report Page

Table of Contents

General Requirements

Generally speaking, any bug that poses a significant vulnerability, either to the soundness of protocols and protocol/implementation compliance to network security, to classical client security, as well as security of cryptographic primitives, could be eligible for a reward. Please note that it is entirely our discretion to decide whether a bug is significant enough to qualify for a reward.

Examples include:

  • An attack that could disrupt the entire network and harm the validity to the network would be considered a critical threat.
  • An attack that would disrupt service to others would be regarded as a high threat.

Please note: the submission quality will be a significant factor in the level of considered compensation. A high-quality submission includes explaining how the bug can be reproduced, how it was discovered, and otherwise critical details. Please disclose responsibly: prior disclosure to any third parties disqualifies bug bounty eligibility.

Testing Requirements

Your testing must not violate any law or compromise any data (or funds) that is not yours and must take place on local running testnets.

Responsible investigation and reporting include, but is not limited to, the following:

  • Don’t violate the privacy of other users, destroy data, etc.
  • Don’t defraud or harm the QRL network or its users during your research; you should make a good faith effort not to interrupt or degrade our services.
  • Don’t target the QRL network nodes’ physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
  • Initially, report the bug only to us and not to anyone else.
  • Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
  • In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to our users or us. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.


Actively developed public GitHub repository code is generally considered in-scope. This includes the core node software, QRLLIB library, the web/desktop wallet and mobile wallet alongside ancillary libraries, services and tools.

Pre-release software may be considered in-scope although prior to code audit and release a high or critical grading cannot be applied to bug reports.

Excluded from the scope of the Bug Bounty Program are:

  • Static websites (such as this one)
  • Our infrastructure, dns, email etc,
  • Known issues or dependencies flagged by code-scanners

The Bug Bounty program does not cover bugs on code bases that are external to or written on top of the QRL protocol. We can help reach out to affected parties of out-of-scope products built on or around the QRL protocol.

Possible Awards

Complete, validated, in-scope reports are eligible for the award of cash bounty subject to the legal requirements and conditions noted below.

All valid findings, even if ineligible for a bounty, are subject to Hall-of-Fame kudos points. Our Hall-of-Fame forms part of the award of additional annual bounty to ethical researchers dedicated to improving our protocol.

Special Notes

The bug bounty program is an experimental and discretionary rewards program for our active QRL community to encourage and reward those who are helping to improve the platform.

You should know that we can change or cancel the program at any time, and awards are at the sole discretion of QRL Foundation Bug Bounty Panel.

In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). Local laws require us to ask for proof of your identity. You are responsible for all taxes.

All awards are subject to applicable law.

Your testing must not violate any law or compromise any data (or funds) that is not yours and must take place on local running testnets.

Issues without a proof-of-concept, that have already been submitted by another user or are already known to specification/repository maintainers are not eligible for bounty rewards.

Public disclosure of a vulnerability makes it ineligible for a bounty.

Employees and contractors of the QRL Foundation or client teams in scope of the bounty program may participate in the program only in the accrual of points/kudos and will not receive monetary rewards.

The QRL Bug Bounty Program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the QRL Foundation Bug Bounty Panel.

To be eligible for reward, a working PoC and remediation guideline is expected but not required.

Ready to report a bug? Visit the Security Report Page

Hall of Fame

PositionPointsBug hunterBugs found