Bug Bounty

Program

Mysten Labs welcomes feedback from security researchers and the general public to help improve our security.

Bug Bounty

Program

Mysten Labs welcomes feedback from security researchers and the general public to help improve our security.

Bug Bounty

Program

Mysten Labs welcomes feedback from security researchers and the general public to help improve our security.

Bug Bounty

Program

Mysten Labs welcomes feedback from security researchers and the general public to help improve our security.

Bug Bounty

Program

Mysten Labs welcomes feedback from security researchers and the general public to help improve our security.

If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets within the scope laid out below, we want to hear from you.

The policy below outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets within the scope laid out below, we want to hear from you.

The policy below outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets within the scope laid out below, we want to hear from you.

The policy below outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets within the scope laid out below, we want to hear from you.

The policy below outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets within the scope laid out below, we want to hear from you.

The policy below outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

Sui Wallet

We strongly encourage you to focus on vulnerabilities that could materially affect the confidentiality, integrity, or availability of user information or funds.


All reports should be submitted with a valid proof of concept (PoC) and detailed steps for replication to be considered valid. Please test out attacks on Testnet to evaluate if there can be state changes to objects.

We strongly encourage you to focus on vulnerabilities that could materially affect the confidentiality, integrity, or availability of user information or funds.


All reports should be submitted with a valid proof of concept (PoC) and detailed steps for replication to be considered valid. Please test out attacks on Testnet to evaluate if there can be state changes to objects.

We strongly encourage you to focus on vulnerabilities that could materially affect the confidentiality, integrity, or availability of user information or funds.


All reports should be submitted with a valid proof of concept (PoC) and detailed steps for replication to be considered valid. Please test out attacks on Testnet to evaluate if there can be state changes to objects.

What not to report

Out of Scope

Out of Scope

Out of Scope

The following components and vulnerability types are considered out-of-scope for this program:

Sui Explorer

Vulnerabilities within the Sui Explorer, including front-end and smart contract components

SuiFrens

This includes the website, infrastructure and smart contracts

SuiNS

This includes the website, infrastructure and smart contracts

Sui Kiosk and Kiosk Extensions

Code that implements royalty and other enforcements

Third-party Integrations

Vulnerabilities in services, platforms, libraries, or other components not directly controlled by Mysten Labs

Physical Security

Vulnerabilities that require physical access to a user's device or data center

Denial of Service (DoS) Attacks

While we are aware of the potential for DoS attacks, our focus is on vulnerabilities that could lead to unauthorized access or data leakage, so DoS attacks are out-of-scope

Version-specific vulnerabilities

Vulnerabilities that only exist in outdated versions of our products, smart contracts, or wallet extension

Clickjacking

User Interface redress attacks, also known as clickjacking

Tabnabbing

Phishing attack that targets the inactive tabs in your browser

Best Practices

Failure to adhere to "Best Practices" or recommendations (i.e., CWE-200), unless a viable, concrete attack scenario is presented

Self-XSS

Self-Cross-Site Scripting vulnerabilities

Missing HTTP Security Headers

Unless you can demonstrate a concrete security risk, missing security headers will be considered out-of-scope and dismissed with prejudice

Expired SSL Certificates

Attacks

Requiring MITM or physical access to a user's device

Issues

That require unlikely user interaction (e.g. entering their seed phrase into a form)

Open redirect

Unless an additional security impact can be demonstrated

Any Reports

From Employees or recently hired auditors

Known Security Issues

From previous reports or Audits set forth below.

zkLogin features

Rules & Rewards

Rules

Rules

Rules

To maintain integrity, avoid potential conflicts of interest, and ensure an effective bug bounty/auditing program, the following restrictions apply:

Current employees, vendors (auditors), partners and contractors of Mysten Labs and Sui Foundation are not eligible to participate in the program.

Former employees and contractors of Mysten Labs and Sui Foundation, who ceased working with the aforementioned entities must wait 6 months from the last date of employment before being eligible to participate in the program.

Sanctioned individuals and/or organizations are not eligible to participate in the program.

Responsible Disclosure

If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.

No

Disruption

No Disruption

No Disruption

No Disruption

No Disruption

If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.

No

Harm

No Harm

No Harm

No Harm

No Harm

Researchers must not exploit any vulnerability to access, modify, harm, or leak data that does not belong to them.

Avoid Privacy

Compromise

Avoid Privacy Compromise

Avoid Privacy Compromise

Avoid Privacy Compromise

Avoid Privacy Compromise

Testing should not compromise the privacy of any individual or entity.

Rules & Rewards

Rewards

Rewards

Rewards

Our rewards for wallets and websites are based on severity per the Common Vulnerability Scoring Standard. Please note that these are general guidelines, and reward decisions are subject to the discretion of Mysten Labs.

Mysten Labs may change or modify the amounts or types of rewards and may remove or reallocate any rewards earned by any participant or elect not to provide any rewards to any participant for any reason.

Mysten Labs may change or modify the amounts or types of rewards and may remove or reallocate any rewards earned by any participant or elect not to provide any rewards to any participant for any reason.

Distribution of rewards will follow reward determinations made by Mysten Labs, and will be subject to successful completion of KYC process (details below).

Distribution of rewards will follow reward determinations made by Mysten Labs, and will be subject to successful completion of KYC process (details below).

Payments will be denominated in SUI.

U.S. persons will receive rewards denominated in USD.

Payments will be denominated in SUI. U.S. persons will receive rewards denominated in USD.

Payments will be denominated in SUI. U.S. persons will receive rewards denominated in USD.

Severity

Severity

Severity

Severity

CVSS Score

CVSS Score

CVSS Score

CVSS Score

Initial Acknowledgement

Initial Acknowledgement

Initial Acknowledgement

Initial Acknowledgement

Rewards

Rewards

Rewards

Rewards

Critical (Wallet only)

Critical (Wallet only)

Critical

(Wallet only)

Critical (Wallet only)

9 - 10

9 - 10

9 - 10

9 - 10

24 Hours

24 Hours

24 Hours

24 Hours

$10,000-$30,000

$10,000-$30,000

$10,000-$30,000

$10,000-$30,000

High

High

High

High

7.0 - 8.9

7.0 - 8.9

7.0 - 8.9

7.0 - 8.9

48 Hours

48 Hours

48 Hours

48 Hours

$3,000

$3,000

$3,000

$3,000

Medium

Medium

Medium

Medium

4.0 - 6.9

4.0 - 6.9

4.0 - 6.9

4.0 - 6.9

72 Hours

72 Hours

72 Hours

72 Hours

$2,000

$2,000

$2,000

$2,000

Low

Low

Low

Low

0 - 3.9

0 - 3.9

0 - 3.9

0 - 3.9

1 Week

1 Week

1 Week

1 Week

$1,000

$1,000

$1,000

$1,000

Key Verifications

Key Verifications

Key Verifications

Upon validating a reported bug, we will notify you about the reward amount. Payouts will be processed following our KYC (Know Your Customer) procedures. Please note that all researchers eligible for a reward will be required to go through our KYC process.

The KYC process is necessary to prevent fraudulent activities and comply with international regulations. We ensure that all personal information collected during this process will be stored securely and used solely for the purpose of the KYC process.

KYC DOCUMENTS REQUIRED

A government-issued identification document (Passport, National ID, or Driver's License)

Proof of address (Utility Bill, Bank Statement, or any official document showing your full name and address)

Failure to successfully pass the KYC process will result in the withholding of the bounty payout. We appreciate your understanding and cooperation in this matter.

Safe Harbor Policy

Safe Harbor Policy

Safe Harbor Policy

When conducting vulnerability research, we consider research conducted solely under this program to be:

01

Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith actions that would otherwise constitute hacking;

02

Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of our technology controls;

03

Exempt from any restrictions in our Terms of Service (TOS) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and

04

Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. 

Note that this section applies only to legal claims brought by Mysten Labs, and that this section does not bind independent third parties or law enforcement authorities.

Scope & impact

Impact in Scope for Wallet

Impact in Scope for Wallet

Impact in Scope for Wallet

The funds being frozen or locked within the wallet, and otherwise irrecoverable

The funds being stolen by an attacker through leaking of the Secret Recovery Phrase or transactions specifically when visiting a webpage

Entire set of accounts being irrecoverable using existing flows in the app.

Critical

  • Execution of unauthorized system commands

  • Retrieval of sensitive data/files from the server

  • Performing state-altering authenticated actions on behalf of other users without their interaction, such as:

    • Modifying user registration information

    • Altering NFT metadata

    • Seizing control of a subdomain through interaction with an already-connected wallet

    • Direct unauthorized access or theft of user funds

  • Malicious interactions with an already-connected wallet such as:

    • Changing transaction arguments or parameters

    • Substituting contract addresses

    • Submitting malicious transactions

    • Direct theft of user NFTs

    • Injection of malicious HTML or XSS through NFT metadata

High

Medium

Low

Critical

  • Execution of unauthorized system commands

  • Retrieval of sensitive data/files from the server

  • Performing state-altering authenticated actions on behalf of other users without their interaction, such as:

    • Modifying user registration information

    • Altering NFT metadata

    • Seizing control of a subdomain through interaction with an already-connected wallet

    • Direct unauthorized access or theft of user funds

  • Malicious interactions with an already-connected wallet such as:

    • Changing transaction arguments or parameters

    • Substituting contract addresses

    • Submitting malicious transactions

    • Direct theft of user NFTs

    • Injection of malicious HTML or XSS through NFT metadata

High

Medium

Low

Critical

  • Execution of unauthorized system commands

  • Retrieval of sensitive data/files from the server

  • Performing state-altering authenticated actions on behalf of other users without their interaction, such as:

    • Modifying user registration information

    • Altering NFT metadata

    • Seizing control of a subdomain through interaction with an already-connected wallet

    • Direct unauthorized access or theft of user funds

  • Malicious interactions with an already-connected wallet such as:

    • Changing transaction arguments or parameters

    • Substituting contract addresses

    • Submitting malicious transactions

    • Direct theft of user NFTs

    • Injection of malicious HTML or XSS through NFT metadata

High

Medium

Low

Critical

  • Execution of unauthorized system commands

  • Retrieval of sensitive data/files from the server

  • Performing state-altering authenticated actions on behalf of other users without their interaction, such as:

    • Modifying user registration information

    • Altering NFT metadata

    • Seizing control of a subdomain through interaction with an already-connected wallet

    • Direct unauthorized access or theft of user funds

  • Malicious interactions with an already-connected wallet such as:

    • Changing transaction arguments or parameters

    • Substituting contract addresses

    • Submitting malicious transactions

    • Direct theft of user NFTs

    • Injection of malicious HTML or XSS through NFT metadata

High

Medium

Low

Critical

  • Execution of unauthorized system commands

  • Retrieval of sensitive data/files from the server

  • Performing state-altering authenticated actions on behalf of other users without their interaction, such as:

    • Modifying user registration information

    • Altering NFT metadata

    • Seizing control of a subdomain through interaction with an already-connected wallet

    • Direct unauthorized access or theft of user funds

  • Malicious interactions with an already-connected wallet such as:

    • Changing transaction arguments or parameters

    • Substituting contract addresses

    • Submitting malicious transactions

    • Direct theft of user NFTs

    • Injection of malicious HTML or XSS through NFT metadata

High

Medium

Low

Acknowledgements

Hall of Fame

Hall of Fame

Hall of Fame

Once submissions have been validated, we will make public the identity of participants who elect to have their name (or nickname) published. Otherwise, we will list the participant as anonymous.

Who we are

Learn about Mysten Labs

See how Mysten is making moves toward a truly decentralized future

View About Us

© 2024 Mysten Labs. All Rights Reserved.

Who we are

Learn about Mysten Labs

See how Mysten is making moves toward a truly decentralized future

View About Us

© 2024 Mysten Labs.

All Rights Reserved.

Who we are

Learn about Mysten Labs

See how Mysten is making moves toward a truly decentralized future

View About Us

© 2024 Mysten Labs. All Rights Reserved.

Who we are

Learn about Mysten Labs

See how Mysten is making moves toward a truly decentralized future

View About Us

© 2024 Mysten Labs. All Rights Reserved.

Who we are

Learn about Mysten Labs

See how Mysten is making moves toward a truly decentralized future

View About Us

© 2024 Mysten Labs.

All Rights Reserved.