Flux bug bounty program

The Flux Community and Foundation are happy to announce the Flux bug bounty program to reward security researchers and developers who invest their time and effort into finding bugs or exploits in Flux.

What can you earn?

All bugs will be evaluated according to the CVSS scoring scale and rewarded accordingly. The CVSS levels are:


CVSS Score




500-1000 Flux



250-500 Flux



150-500 Flux



50 Flux



10 Flux

How it works

You will receive rewards based on the severity of the issue found if you:

  1. Make all possible effort to not interrupt or degrade our service.

  2. Do not attempt to gain unauthorized access to user accounts, assets or information (use your own account/accounts to test against).

  3. Do not copy or modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.

  4. Do not exploit a security issue you discover beyond the point of validation on your own accounts/nodes.

  5. Consent to be added to a list published of researchers who have submitted valid security reports.

  6. However, should you wish to remain anonymous, we will respect your privacy. You must inform us at the time of submission, and we will not add your name to aforementioned list.

  7. We reserve the right to determine timeframes for publishing reports (and accompanying updates) pertaining to each instance. However, we will provide best effort information to you on all such issues.

Additionally, in order to qualify for rewards you must adhere to the following responsible disclosure policy:

  1. For Zelcore related issues: exploits and bugs are restricted to your own account or instance of the Zelcore wallet and have been carried out for validation purposes only.

  2. For website related issues: No data is removed from the website upon discovery.

  3. The Flux Blockchain and nodes: Any and all exploits be confined to a private testnet or regtest for validation purposes. Any code modifications carried out to run exploits need to be disclosed along with the effects for full validation.

  4. For the FluxOS distributed operating system, any and all exploits are confined to their own nodes for validation purposes. Should additional nodes be required to fully validate more serious exploits, the Flux team will assist with a private testnet.

  5. Submissions can only be made to [email protected] or via direct message to a developer on Discord in either case using the attached PGP keys for encryption is a requirement.

  6. Include an email for responses in your report.

  7. Adhere to timeframes laid out in initial confirmation of report emails.

Please note that we have the right to remove you from the bug bounty program and disqualify you from receiving any bounty rewards if you are in violation of any national, state, or local law or regulation.

Qualifying bugs

The following list is by no means exhaustive, so if you have a bug that is not on either the qualifying or non-qualifying lists, report it, it will be covered.

  1. Injection flaws such as SQL, noSQL, Mongodb or OS injection that tricks command interpreter into executing unintended commands without proper authorization.

  2. Broken authentication/session management that allows compromise of passwords, keys or session tokens.

  3. Sensitive data exposure due to improper protection of data via insecure API or flaw in cryptography implementation.

  4. Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context.

  5. Remote Code Execution (RCE).

  6. Insecure direct object references.

  7. Privilege escalation.

  8. Directory traversal.

  9. Open redirects.

  10. Spoofing enablement.

  11. Any significant abuse-related methodologies that could lead to significant harm.

Non-qualifying bugs

  1. Non-original or previously disclosed/reported bugs (with fixes currently underway).

  2. Non-technical attacks such as social engineering, phishing, or physical attacks against entities or infrastructure.

  3. Any degrading/damaging the reliability or integrity of our services (such as DDoS attacks, man in the middle attacks, spamming, and similar questionable acts).

  4. Any software not directly produced by the Flux team.

  5. Domains hosted by third parties (e.g.: Github, Gitlab, etc).

  6. Subdomains operated by third parties (e.g: info.runonflux.io).

  7. Any Flux branded services operated by third parties.

How to report a bug

Send an email using the below PGP keys to [email protected] and no other email address. Failing to use the attached PGP keys for the bug report will invalidate any security issues higher than level 2 on the CVSS scale.

Process to follow

  1. Write up a report on your findings.

  2. PGP Encrypt the report with keys from URL.

  3. Within 24 hours you will have an acknowledgement.

  4. Adhere to timeline and additional information requests from the Flux team outlined in the acknowledgement email.

  5. Discuss publication times and names.

  6. Collect bounty.

  7. Get published.

PGP key


mQENBF9aW/oBCACeTz66NgwhKzlGVNN65SlwFwUbrhBljDC393ww0pO1kdjDtIBu VkHknJeTaXbeGSKYXskQgL8hORIhoOxSsbRSFaq6s3e/dHukUOR3g2tp1myFMvsK stATCdWzWQNAe/7EMEnvenW6B9NwZd2bCXweIVneXZGzqwMaMqKGwR+cH47ngve7 LtpJC9NLQ3hOAoyRTKmvaCkSCVAek4uGa4QYiRJgr866QYuag09sTUUOVMpq8H/T kiRHGRDLvFWeObvreBM9eJv5zwhwTItqNtb6mIzkL8InJYhsRqR8+bHdH7z3QtMb eRaG0A8mGKaGXIQXL+6eGUJasKqaEpeonIYRABEBAAG0K3NlY3VyaXR5QHplbC5u ZXR3b3JrIDxzZWN1cml0eUB6ZWwubmV0d29yaz6JAU4EEwEIADgWIQSRhMlBCliD ig7+bBCgOr/bRBsxiQUCX1pb+gIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK CRCgOr/bRBsxiRbsB/40/fxFiDgp9cXcfciQOEAMoZ6APMEUFLj3+RTJeJuRA+Xf w4/6Z3kvxcDWXxWPh94QPWFzZtt1LKYDhs/p0CG7IyWN5k3fKCJ0XobjND7MDycp DrOVD8D13Ez2xV2ZeRhJoTPron6mCy8xhU2e7lTduvyxnjKSWEAxZj3Gh58b/Jqa A7t1Y+gH1QFAAKNVutPgmEtwbBiXk/VCEricy0SOq43vaN2YrW56GAhtbrdRFmiw CrwqA5wU7ZkcFRq2YHHb6S+u4p4bA7/aezgvlM/oZCbH1PbdASApEkztRk46D72o PCq799tb4lKvDh2eqX1Z7Fvbh2poacY72/xc/EaLuQENBF9aW/oBCAD7CDpbaiME txr2aHw6O2oAfhZ+FhAZYgnPhy5aHwt0C/3I8Kc7SdvigEhKlhdmwjGxvh9i6h/3 xQ5no5eH7YsPDqU/00G2igVl5Ph3N5wJYmqe1MNP8eCNd9jTLuNhnK07Vbdjfo33 +88hxOFYf78gcv/O/SgX1EHecl6DFrNZZaqzLr1wIDAJZbeLZe4mQpIyTZ2wC2ys anZlF7Y4MJixWE9prpIjd4JPfxhj1kp1+MLGWxj6/YbRexeU8jS153EO92Yvepbf 2bQf5X2UZyhcacTSLtvXFW5S80BBqDLYA/elzHhyhNQz3MCxFUrWQwlie1iOnNHY Yakei53UczZzABEBAAGJATYEGAEIACAWIQSRhMlBCliDig7+bBCgOr/bRBsxiQUC X1pb+gIbDAAKCRCgOr/bRBsxiWc3B/4iMsGrhNMyB8ab8jUwTuW4JXF8Et5X6gvJ I5pTR33euZgtupRF3H/QyqpL2u5vc/vLFpqH4khjuvAaLHt8gNRCoMqJoPQi3Oli 3J2bIKOFz5JXsVTFyWCYYOzJENgoxkfOV+qxvvzBWcTbyZoHTsY1/BqDGEnE49rt YG9XJ9OWkTp1MMOSHKmTfxR1JSIxlr1HUDDBnEef4qzR/TnQZW6PVqZQpc6LlZFb D0ko5jJrW5uU9d4NYySO5/lr07PxQ10DbJL3RAQCKiNczP/pU8YhJ+BGgod5kZi5 tCuvxUjUzXCP0d7/0o7anQN7meq/P+JLKZRZmIzCH1ISwsDztyur =crmk