How can I report a vulnerability in Wormhole?

If you have found a vulnerability in Wormhole, you can report it through the bug bounty program that Wormhole has launched in February 2022. The bug bounty program is one of the largest in the crypto space, with a record-breaking $10 million USDC reward pool. The bug bounty program aims to encourage white-hat hackers to find and report bugs in the Wormhole protocol, and to reward them for their contributions to the security and reliability of the cross-chain bridge.

To report a vulnerability, you need to follow these steps:

  • Visit the official website of the bug bounty program and read the details about the payout structure, the assets in scope, and the terms and conditions.

  • Submit your bug report using the form on the website. You need to provide your name, email, wallet address, description of the vulnerability, steps to reproduce it, and any supporting evidence or code.

  • Wait for the confirmation email from the Wormhole team. They will review your report and contact you within 72 hours.

  • If your report is eligible for a reward, you will need to comply with the KYC requirements. You will need to provide proof of address, a copy of your passport, and a filled-out and signed W-9 or W-8BEN form depending on your tax status.

  • Once your KYC is verified, you will receive your reward in USDC to your wallet address.

The reward amount will depend on the severity and impact of the vulnerability. The highest reward for a critical bug is up to $2.5 million USDC. Wormhole has already paid out several bounties to white-hat hackers who reported bugs in its smart contracts and core layer.