Energy Web Bug Bounty Program
The Energy Web Bug Bounty Program exists to incentivize and reward members of the community who identify and help resolve security vulnerabilities in the EW Chain, Utility Layer, EW-DOS toolkits, and auxiliary EW-related tools and infrastructure.
The scope of the program includes issues that can result in the loss of functionality and/or data in all public EW GitHub repositories and hosted applications (Switchboard, EWC Bridge, Key Manager). The primary areas of interest are:
> Access/Identity vulnerabilities
> Logical Errors
> Exploitation - XSS, CSRF, SQL injection, SSL misconfigurations etc.
> Smart Contract Errors
> Cryptography Errors
The following are out of scope and excluded from the Bug Bounty program:
> DNS, configuration, and hosting of the
> Any known vulnerabilities reported on third-party sites (e.g., Hackerone)
> Any previously-reported vulnerabilities (those listed on
> Any vulnerability found using common open-source scanner tools ( e.g.,
Bugs are categorized at the sole discretion of the Energy Web Technical Committee using a risk assessment matrix based on impact and likelihood. The reward for a given bug is proportional to its severity; rewards are also higher for reporting a bug along with a recommended resolution than for reporting a bug alone.
Severity categories are defined as follows:
> Low = vulnerabilities that may result in reduced functionality for certain users under specific conditions.
> Moderate = vulnerabilities that will result in reduced functionality for all users under existing conditions.
> High = vulnerabilities that may result in 1) loss or reduced access to EWT, private keys, or personally-identifiable information for some users under certain conditions, or 2) complete system failure for some users under certain conditions.
> Critical = vulnerabilities that will result in irrevocable loss of EWT, private keys, or personally-identifiable information and/or complete system failure for all users under existing conditions.
To be eligible for the reward, a reporter must meet ALL of the following criteria:
1. Complete the form below and provide a description of the reproducible bug, including a script and/or detailed step-by-step instructions on how to expose the vulnerability.
2. The reporter must include a high-level summary, detailed attack / failure scenario, proposed impact / likelihood. Reporters must show the impact of the vulnerability - in other words what harm potentially could they do with the retrieved information. Sometimes, vulnerabilities indeed seem critical but could not be exploited in a harmful way, (e.g. disclosed server root password seems critical however only if that server is accessible from the internet).If also providing a resolution, they must include an invitation to the relevant private GitHub repository and/or related documentation.
3. The reporter must also provide an address for the EWT bounty reward.
4. Be the first person to report the issue (see list of known issues below)
5. Not disclose any details of the bug / vulnerability publicly.
Not be a paid auditor or contractor of EWF.
Upon receipt of a vulnerability report, the EW team will review the details and respond directly if the vulnerability is deemed to be credible and eligible for the program under the terms above. Due to the volume of reports, not all reports will receive a direct response.
What is your legal name? (Required to be eligible for an EWT bounty reward)
What is your country of residency? (Required to be eligible for an EWT bounty reward)
What is your Energy Web Chain address? (Required to be eligible for an EWT bounty reward)
If you would like public recognition for your contributions, please provide your handle to Github, Twitter, Telegram, and/or Discord.
Provide a brief description of the bug / vulnerability (200 characters max).
What is the primary system and/or application impacted by the vulnerability?
Energy Web Chain (system contract, client, installation script, chainspec)
EWC Block Explorer (
Key Manager (
Energy Web Zero (
Energy Web Origin (
DID and IAM Libraries (
Another public EWF Github repository
If you selected "Other" above, please specify below and include the affected URL.
Provide a description of the reproducible bug, including a script and/or detailed step-by-step instructions on how to expose the vulnerability
Describe the worst-case scenario / maximum impact if this bug was fully exploited.
What is the likelihood of this bug being exploited?
Low - it is not well known and/or very difficult to exploit.
Medium - it requires some specific knowledge.
High - it is a well-known issue that anyone could easily exploit.
What is the level of effort required to exploit this bug?
Low - anyone could exploit it, and/or there are existing scripts / tools that can automate the process.
Medium - it would require some degree of skill, experience, or access.
High - it requires highly specialized knowledge, privileged access, and/or many hours of work.
Send me a copy of my responses.
Never submit passwords through Google Forms.
This form was created inside of Energy Web Foundation.