Presenting Matic Network’s HackerOne Bug Bounty Program

2 min read

We’re calling upon all developers to take part in our recently launched Bug Bounty Program, hosted on HackerOne, to find vulnerabilities in our codebase and help us to ensure the utmost security and robustness of our network.

You can find our HackerOne page below:

Whether you’re a hacker, attacker, security researcher or engineer, put your skills to use finding vulnerabilities, security issues, or bugs in our codebase and earn up to $5,000 per reported issue.

We’ve explained the program rules, terms and details on our HackerOne Bug Bounty page, but you will also find an introduction to the program below.


Test Plan

Getting Started

Setting up

The Matic CLI repo is an easy way to setup and manage Matic validator nodes in a local environment. This will help in simulating tests and attacks locally.

If you want to run a node on the Counter Stake – Stage 2 staking testnet, you follow the instructions via these links:

Getting Tokens for Counter Stake – Stage 2 Testing

  • To get tokens you can access our faucet here: https://faucet.matic.network/ and choose the Goerli network. Or you can drop an email with your ETH address to delroy(@)matic.network

You’re now set up to start looking for vulnerabilities!


Rewards & Attack Examples

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of the Matic Network team.

Below are some indicative examples of valid attacks that could be carried out on Matic Network:

In-Scope Repositories

The repositories of the three major components of our mainnet are within the scope of this program, including:

  • Heimdall – This GitHub repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, Block Producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.
  • Bor – The Bor node, or the Block Producer implementation, is basically the sidechain operator. The sidechain VM is EVM-compatible.
  • Contracts – This repository contains the smart contracts that power Matic Network

More information regarding out of scope repositories and vulnerabilities can be found on our HackerOne Bug Bounty page.


Let’s Get Hacking!

At Matic, we’re building infrastructure to enable Ethereum DApps to be able to reach mass adoption levels of users. Become part of this journey, help us to ensure a secure and robust network for our growing ecosystem of DApps and network users, and be rewarded in the process. What could be better?

If you have any questions, comments, or would like to discuss anything relating to the program, leave a post on our Dev Forum or join us at the Matic Dev Forum Discord channel:

Head to HackerOne and start testing. Thank you for helping to keep Matic Network and our users safe!

Happy hacking 🙂

– Matic Network team


Connect with us

Website | GitHub | Twitter | Telegram | Reddit | YouTube