Mysten Labs Bug Bounty Program
Mysten Labs welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets within the scope laid out below, we want to hear from you. The policy below outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.
We strongly encourage you to focus on vulnerabilities that could materially affect the confidentiality, integrity, or availability of user information or funds. All reports should be submitted with a valid proof of concept (PoC) and detailed steps for replication to be considered valid. Please test out attacks on Testnet to evaluate if there can be state changes to objects.
The following components and vulnerability types are considered out-of-scope for this program:
- Sui Explorer: Vulnerabilities within the Sui Explorer, including front-end and smart contract components
- SuiFrens: This includes the website, infrastructure and smart contracts
- SuiNS: This includes the website, infrastructure and smart contracts
- Sui Kiosk and Kiosk Extensions: Code that implements royalty and other enforcements
- Third-party Integrations: Vulnerabilities in services, platforms, libraries, or other components not directly controlled by Mysten Labs
- Physical Security: Vulnerabilities that require physical access to a user's device or data center
- Phishing: Social engineering attacks, such as phishing, vishing, or any other manipulative techniques
- Denial of Service (DoS) Attacks: While we are aware of the potential for DoS attacks, our focus is on vulnerabilities that could lead to unauthorized access or data leakage, so DoS attacks are out-of-scope
- Version-specific vulnerabilities: Vulnerabilities that only exist in outdated versions of our products, smart contracts, or wallet extension
- Clickjacking: User Interface redress attacks, also known as clickjacking
- Best Practices Failure to adhere to "Best Practices" or recommendations (i.e., CWE-200), unless a viable, concrete attack scenario is presented.
- Self-XSS: Self-Cross-Site Scripting vulnerabilities
- Missing HTTP Security Headers: Unless you can demonstrate a concrete security risk, missing security headers will be considered out-of-scope and dismissed with prejudice
- Expired SSL Certificates
- Attacks requiring MITM or physical access to a user's device.
- Issues that require unlikely user interaction (e.g. entering their seed phrase into a form)
- Open redirect - unless an additional security impact canbe demonstrated
- Any reports from Employees or recently hired auditors
- Any Alpha/Beta Features
- Known Security Issues from previous reports or Audits set forth below.
- zkLogin features
Rules & Rewards
If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.
Researchers should not disrupt our services and should minimize the impact of their testing on our users and systems.
Researchers must not exploit any vulnerability to access, modify, harm, or leak data that does not belong to them.
Avoid Compromising Privacy:
Testing should not compromise the privacy of any individual or entity.
To maintain integrity, avoid potential conflicts of interest, and ensure an effective bug bounty/auditing program, the following restrictions apply:
Current employees, vendors (auditors), partners and contractors of Mysten Labs and Sui Foundation are not eligible to participate in the program.
Former employees and contractors of Mysten Labs and Sui Foundation, who ceased working with the aforementioned entities must wait 6 months from the last date of employment before being eligible to participate in the program.
Sanctioned individuals and/or organizations are not eligible to participate in the program.
These restrictions are put in place to ensure the objectivity of the program and to prevent any potential conflicts of interest.
How to Submit a Suspected Vulnerability
Please send an email to firstname.lastname@example.org with the following:
Detailed steps to reproduce the bug
The potential impact of the bug
Any potential fixes
Please note that submission requirements may be updated from time to time.
SLAs and Rewards
Websites and Wallet
|Sui Wallet||CVSS Score||Initial Acknowledgement||Rewards|
9 - 10
7.0 - 8.9
4.0 - 6.9
0 - 3.9
Our rewards for wallets and websites are based on severity per the Common Vulnerability Scoring Standard. Please note that these are general guidelines, and reward decisions are subject to the discretion of Mysten Labs. Mysten Labs may change or modify the amounts or types of rewards and may remove or reallocate any rewards earned by any participant or elect not to provide any rewards to any participant for any reason. Distribution of rewards will follow reward determinations made by Mysten Labs, and will be subject to successful completion of KYC process (below).
Payments will be denominated in SUI. U.S. persons will receive rewards denominated in USD.
Upon validating a reported bug, we will notify you about the reward amount. Payouts will be processed following our KYC (Know Your Customer) procedures. Please note that all researchers eligible for a reward will be required to go through our KYC process.
The KYC process is necessary to prevent fraudulent activities and comply with international regulations. We ensure that all personal information collected during this process will be stored securely and used solely for the purpose of the KYC process.
During the KYC process, you may be asked to provide the following:
- A government-issued identification document (Passport, National ID, or Driver's License)
- Proof of address (Utility Bill, Bank Statement, or any official document showing your full name and address)
Failure to successfully pass the KYC process will result in the withholding of the bounty payout. We appreciate your understanding and cooperation in this matter.
Safe Harbor Policy
When conducting vulnerability research, we consider researchconducted solely under this program to be:
- Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith actions that would otherwise constitute hacking;
- Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of our technology controls;
- Exempt from any restrictions in our Terms of Service (TOS) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with these terms, please contact us at email@example.com for further guidance.
Note that this section applies only to legal claims brought by Mysten Labs, and that this section does not bind independent third parties or law enforcement authorities.
Detailed Scope and Impact
Impact in Scope for Wallet
The funds being frozen or locked within the wallet, and otherwise irrecoverable
The funds being stolen by an attacker through leaking of the Secret Recovery Phrase or transactions specifically when visiting a webpage
Entire set of accounts being irrecoverable using existing flows in the app.
Impact in Scope for Website
Hall of Fame / Acknowledgements
Once submissions have been validated, we will make public the identity of participants who elect to have their name (or nickname) published. Otherwise, we will list the participant as anonymous.