Algorand takes the security of the platform and of its users very seriously. We recognize the important role of external security researchers and developers in helping keep our community safe. As with most security reward programs, we ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts, or loss of funds that are not your own. We do not reward denial of service, spam, or social engineering vulnerabilities. If you believe that you have found a security vulnerability you may disclose it via Algorand's bug bounty program on Immunefi.
The bug bounty will cover Algorand’s open-source core protocol software. Further details about the scope of assets included in the bug bounty and details on the reward levels can be found here. For vulnerabilities found in our repositories aside from the core protocol (e.g. in the SDKs), there is no bounty but we welcome reports to [email protected]