[{"id":3771441,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in Stellar Development Foundation maintained repositories, services, and infrastructure. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities through the bug bounty program described on this page.\n\n# Responsible Disclosure\n\nOur development team may take up to 90 days to implement a fix based on the severity of the report. Please allow this process to fully complete before publicly disclosing a vulnerability.\n\n# Rewards\n\nWe reward researchers who find valid security issues with a bounty paid in lumens (XLM). The Stellar.org Bug Bounty Panel evaluates award size using technical severity calculated with CVSS v3.1 Base Score together with business impact, such as the affected asset, the number of impacted participants, the sensitivity of exposed data, and the financial or reputational consequences to the network. Reports with higher business impact may receive higher rewards than reports with lower business impact, even when the technical severity is the same. Final awards are determined at the sole discretion of the panel.\n\n* Critical: 0 to 25 000 points\n* High: 0 to 15 000 points\n* Medium: 0 to 10 000 points\n* Low: 0 to 2 000 points\n* Note: 0 to 500 points\n\n1 point currently corresponds to 1 USD, payable in lumens (XLM), though this may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to its maximum practical impact.\n\nTo receive a payout, researchers must successfully complete valid KYC before payment is issued.\n\n# Eligibility\n\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of Stellar Development Foundation maintained applications, services, or infrastructure could be eligible for a reward. However, it is entirely at our discretion to decide whether a bug is significant enough to qualify.\n\nIn general, anything with the potential for financial loss or data breach is considered sufficiently severe, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Crash bugs in Stellar-RPC or Horizon, for example a bug that can crash the application by sending a special request, not by sending thousands of requests\n\nThe following reports are submitted very often and will generally be marked as **Not Applicable**:\n\n* SPF or DMARC issues\n* CORS headers on endpoints that are intentionally accessible from other domains\n* Issues with third party services we use, such as Mailgun or Segment\n* Logout CSRF\n* Vulnerabilities in third party libraries without a working exploit against our applications or servers\n* Publicly readable AWS S3 buckets containing Stellar ledger history, because this data is public\n* Content Delivery Network bypass\n\nIn general, the following would not meet the threshold for severity and may be marked as **Not Applicable**:\n\n* Version disclosure\n* Missing security headers\n* Cookies without the `secure` flag\n* Recently disclosed 0-day vulnerabilities without demonstrated impact to our environment\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on an in-scope Stellar property\n* Vulnerabilities that depend on physical access, social engineering, spam, or DDoS\n* Vulnerabilities affecting outdated or unpatched browsers\n* Vulnerabilities in third party applications that make use of Stellar APIs\n* Reports that have not been responsibly investigated and documented\n* Bugs already known to us, or already reported by another researcher, where the reward goes to the first valid reporter\n* Issues that are not reproducible\n* Issues that we cannot reasonably be expected to remediate\n* Archived GitHub repositories or projects\n* GitHub repository forks\n\n# Scope\n\nThis HackerOne program covers SDF maintained open-source repositories, services, applications, and websites.\n\n## In scope\n\nOpen-source repositories:\n* All open-source projects under the [Stellar GitHub organization](https://github.com/orgs/stellar/repositories), unless a repository explicitly states that it is out of scope or is covered by a separate security program\n\nOnline services, apps, and websites:\n* [https://www.stellar.org](https://www.stellar.org)\n* [https://www.stellar.org/account-viewer](https://www.stellar.org/account-viewer)\n* [https://launch.stellar.org](https://launch.stellar.org)\n* [https://api.stellar.org](https://api.stellar.org)\n* [https://developers.stellar.org](https://developers.stellar.org)\n* [https://communityfund.stellar.org](https://communityfund.stellar.org)\n\n## Out of scope\n\n* Archived GitHub repositories and projects\n* GitHub repository forks\n* Repositories that explicitly state they are out of scope\n* Vulnerabilities affecting the Stellar protocol\n* Repositories, services, or assets covered by the separate Immunefi program\n* Any repositories or assets explicitly listed as out of scope in the Immunefi program, including:\n  * [stellar-core](https://github.com/stellar/stellar-core)\n  * [stellar-protocol](https://github.com/stellar/stellar-protocol)\n\n# Best Practices\n\n* Please use your local instance of Horizon or Stellar-RPC and a separate network, not testnet or pubnet, when researching security bugs where possible. For example, you can use our Docker image. Blockchains are public, and someone may observe your findings and report a bug before you do.\n* For issues that depend on a specific runtime or environment, we strongly encourage a containerized Proof of Concept, such as a Dockerfile, when it materially improves reproducibility.\n\n# Submission Requirements\n\nAll reports, regardless of severity, must include:\n\n* A description of the vulnerability and the affected asset\n* Step by step reproduction, also known as a Proof of Concept (PoC), including actual requests, responses, or an exploit script\n* A clear impact statement tied to confidentiality, integrity, or availability\n* Evidence that the issue is reproducible, such as screenshots, logs, transaction IDs, or a minimal working script\n\nReports submitted without a sufficient PoC will be triaged as Needs More Info and will not be eligible for payout until a sufficient PoC is provided.\n\n# Report a Bug\n\n* Submit your report at [https://hackerone.com/stellar/reports/new](https://hackerone.com/stellar/reports/new)\n* Include as much detail as possible, including a description of the issue, its potential impact, and clear reproduction steps or a Proof of Concept\n* Please allow 3 business days for an initial response before following up\n\n# Legal\n\nYou may not participate in this program if you are a resident of, or are located in, a country that appears on any U.S. sanctions list.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-20T17:26:28.419Z"},{"id":3769949,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The Stellar.org Bug Bounty Panel will evaluate award sizes according to technical severity calculated using CVSS v3.0 Base Score, plus business impact (e.g. - what asset is affected, how many participants in the Stellar network are impacted, what data is at risk, or what the financial/reputational consequences to the network are). Reports with high business impact will get higher rewards than reports with lower business impact (even for the same technical severity calculated using CVSS v3.0 Base Score). However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-RPC or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n* Content Delivery Network bypass\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n* Archived Github repositories/projects\n\n# Scope\nOur open source WEB2 projects:\n* [Horizon](https://github.com/stellar/horizon)\n* [Stellar-RPC](https://github.com/stellar/stellar-rpc)\n* All WEB2 open-source projects under [Stellar.org organization](https://github.com/orgs/stellar/repositories)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer\n* https://launch.stellar.org\n* https://api.stellar.org\n* https://developers.stellar.org\n* https://communityfund.stellar.org\n\n# Best practices\n* Please use your local instance of Horizon/ Stellar-RPC and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n# Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-19T22:17:22.140Z"},{"id":3768903,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-RPC or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n* Content Delivery Network bypass\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n* Archived Github repositories/projects\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source WEB2 projects:\n* [Horizon](https://github.com/stellar/horizon)\n* [Stellar-RPC](https://github.com/stellar/stellar-rpc)\n* All WEB2 open-source projects under [Stellar.org organization](https://github.com/orgs/stellar/repositories)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer\n* https://launch.stellar.org\n* https://api.stellar.org\n* https://developers.stellar.org\n* https://communityfund.stellar.org\n\n# Best practices\n* Please use your local instance of Horizon/ Stellar-RPC and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n# Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-28T18:45:18.808Z"},{"id":3749710,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-RPC or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n* Content Delivery Network bypass\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n* Archived Github repositories/projects\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source WEB2 projects:\n* [Horizon](https://github.com/stellar/horizon)\n* [Stellar-RPC](https://github.com/stellar/stellar-rpc)\n* All WEB2 open-source projects under [Stellar.org organization](https://github.com/orgs/stellar/repositories)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer\n* https://launch.stellar.org\n* https://api.stellar.org\n* https://developers.stellar.org\n* https://communityfund.stellar.org\n\n# Best practices\n* Please use your local instance of Horizon/ Stellar-RPC and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n# Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-06T20:15:39.623Z"},{"id":3735876,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n* Content Delivery Network bypass\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n* Archived Github repositories/projects\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n* All our open-source projects under [Stellar.org organization](https://github.com/orgs/stellar/repositories)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer\n* https://launch.stellar.org\n* https://api.stellar.org\n* https://invite.stellar.org\n* https://soroban.stellar.org\n* https://developers.stellar.org\n* https://communityfund.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n# Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-12T19:36:50.724Z"},{"id":3728994,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n* Content Delivery Network bypass\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n* All our open-source projects under [Stellar.org organization](https://github.com/orgs/stellar/repositories)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer\n* https://launch.stellar.org\n* https://api.stellar.org\n* https://invite.stellar.org\n* https://soroban.stellar.org\n* https://developers.stellar.org\n* https://communityfund.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n# Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-07T16:35:19.280Z"},{"id":3710110,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n* Content Delivery Network bypass\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n* All our open-source projects under [Stellar.org organization](https://github.com/orgs/stellar/repositories)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer\n* https://launch.stellar.org\n* https://api.stellar.org\n* https://invite.stellar.org\n* https://soroban.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n# Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-02T21:30:03.266Z"},{"id":3689169,"new_policy":"*We are excited to announce a new program with higher rewards dedicated to the source code of Soroban, our smart contract platform! Head over to [https://hackerone.com/soroban?type=team](https://hackerone.com/soroban?type=team) to access it*\n\nThe Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n* Content Delivery Network bypass\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n* All our open-source projects under [Stellar.org organization](https://github.com/orgs/stellar/repositories)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer\n* https://launch.stellar.org\n* https://api.stellar.org\n* https://invite.stellar.org\n* https://soroban.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n# Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-12T04:59:13.249Z"},{"id":3681595,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n* Content Delivery Network bypass\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer/\n* https://launch.stellar.org/\n* https://api.stellar.org\n* https://invite.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n#Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-03T12:15:16.891Z"},{"id":3557113,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer/\n* https://launch.stellar.org/\n* https://api.stellar.org\n* https://invite.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n#Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-07T18:14:26.341Z"},{"id":3557112,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nIn general, the following would not meet the threshold for severity (and can be marked **Not Applicable**):\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n\nThe following reports are reported very often and will be marked as **Not Applicable**:\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer/\n* https://launch.stellar.org/\n* https://api.stellar.org\n* https://invite.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n#Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-07T18:13:37.453Z"},{"id":3557111,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nIn general, the following would not meet the threshold for severity:\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n\nThe following reports with be marked as **Not Applicable**:\n* SPF/DMARC records.\n* CORS headers on endpoints meant to be accessible from other domains.\n* Issues with other services we use Mailgun/Segment/etc.\n* Logout CSRF.\n* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.\n* Readable AWS S3 buckets with Stellar ledger history - this is public.\n* Wordpress admins usernames disclosure.\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer/\n* https://launch.stellar.org/\n* https://api.stellar.org\n* https://invite.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n#Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-07T18:12:53.288Z"},{"id":3555626,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nIn general, the following would not meet the threshold for severity:\n\n* Version disclosure.\n* Lack of security headers.\n* Cookies without `secure` flag.\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer/\n* https://launch.stellar.org/\n* https://api.stellar.org\n* https://invite.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n#Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-13T14:17:15.685Z"},{"id":3555570,"new_policy":"The Stellar Bug Bounty Program provides bounties for vulnerabilities and exploits discovered in the Stellar protocol or any of the code in our repos. We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n# Responsible Disclosure\nOur development team has up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability.\n\n# Rewards\nWe are rewarding researchers that find bugs with a bounty of our digital currency, lumens (XLM). The amount of the award depends on the degree of severity of the vulnerability reported.\n\nThe Stellar.org Bug Bounty Panel will evaluate award sizes according to severity calculated according to the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the panel:\n\n* Critical: up to 25 000 points\n* High: up to 15 000 points\n* Medium: up to 10 000 points\n* Low: up to 2 000 points\n* Note: up to 500 points\n\n1 point currently corresponds to 1 USD (payable in lumens (XLM), something which may change without prior notice.\n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\n# Eligibility\nGenerally speaking, any bug that poses a significant vulnerability to the security or integrity of the Stellar Network could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* Implementation bugs that can lead to financial loss\n* Access to our production servers\n* Remote Code Execution\n* Protocol bugs\n* Crash bug in Stellar-core or Horizon (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).\n\nIn general, the following would not meet the threshold for severity:\n\n* Recently disclosed 0-day vulnerabilities\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.\n* Vulnerabilities affecting outdated or unpatched browsers.\n* Vulnerabilities in third party applications that make use of Stellar’s API.\n* Bugs that have not been responsibly investigated and reported.\n* Bugs already known to us, or already reported by someone else (reward goes to first reporter).\n* Issues that aren't reproducible.\n* Issues that we can't reasonably be expected to do anything about.\n\n# Severity\nThe severity of a bug, i.e. how many participants in the Stellar network are affected, is taken into consideration when deciding the bounty payout amount. For example, an exploit that relies on an implementation bug in stellar-core affects the network as a whole and very deeply. There are no alternate implementations of stellar-core and so a payout that affects stellar-core would pay out higher than for example, an XSS bug.\n\n# Scope\nOur open source projects:\n* [Stellar-core](https://github.com/stellar/stellar-core)\n* [Horizon](https://github.com/stellar/horizon)\n* [Bridge and compliance server](https://github.com/stellar/bridge-server)\n\nSDKs:\n* [Go SDK](https://github.com/stellar/go)\n* [Java SDK](https://github.com/stellar/java-stellar-sdk)\n* [JS SDK](https://github.com/stellar/js-stellar-sdk)\n\nOur online services, apps and websites:\n* https://www.stellar.org\n* https://www.stellar.org/account-viewer/\n* https://launch.stellar.org/\n* https://api.stellar.org\n* https://invite.stellar.org\n\n# Best practices\n* Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs (ex. you can use our docker image). Remember that blockchains are public and someone may see your findings and report a bug before you.\n* Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.\n\n# Report a bug\n* Submit your bug at https://hackerone.com/stellar/reports/new\n* Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.\n* Please allow 3 business days for us to respond before sending another email.\n\n#Legal\nYou may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-12T17:49:12.325Z"}]