Snowbridge 2026/2027 Bug Bounty Proposal
Snowbridge Bug Bounty Programme Proposal Aug 2026-July 2027
This proposal requests funding to renew the Snowbridge bug bounty programme, which expired on 16 April 2026. Snowbridge secures ~$35M in TVL and processes $10M–$20M in monthly volume - a vulnerability could result in catastrophic loss of user funds and severe reputational damage to the Polkadot ecosystem.
The previous programme, run on HackenProof for one year, was funded by the Snowbridge team out of their own milestones. It received over 500 submissions, of which approximately 5 were valid findings that led to fixes ($22,300 paid out with Hackenproof, $15,000 paid to a security report logged before the Hackenproof programme). The programme must be renewed to ensure proper security coverage.
The total request is $355,000, covering 12 months of bug bounty operations.
Programme Scope
In Scope
The bug bounty covers all Snowbridge on-chain code (Ethereum contracts and Snowbridge Polkadot on-chain code) Scope can be viewed at our Hackenproof programme: https://hackenproof.com/programs/snowbridge-on-chain-code
Out of Scope
- Off-chain relayers
- Frontend / dApp
- SDK and tooling
Severity Levels and Rewards
| Severity | Description | Reward |
|---|---|---|
| Critical | Direct loss of user funds, consensus bypass, unauthorized minting/burning | $30,000 – $75,000 |
| High | Temporary freezing of funds, griefing attacks with material cost to users | $6,000 – $20,000 |
| Medium | Non-critical logic errors, state inconsistencies that don't risk funds | $2,000 – $5,000 |
| Low | Informational findings, gas optimizations, minor code quality issues | $200 – $1,000 |
Programme Operations
Platform
The programme will continue on HackenProof, which hosted the previous year's programme.
Reporting
Bi-yearly reports to the community on:
- Number of submissions received
- Number of valid findings and their severity
- Rewards paid out
- Remaining fund balance
Cost Breakdown
Bug Bounty Fund
| # | Item | Cost |
|---|---|---|
| 1 | Bug bounty reward pool (12 months) | $250,000 |
| 2 | HackenProof platform fee (12 months) | $5,000 |
| Total | $255,000 |
The reward pool covers payouts for valid findings. In 10 months, we will liaise with the Treasury to determine plans for the next year of Snowbridge and unspent funds will either carry-over into the next year's pool or be returned to the treasury. The pool must be large enough to credibly incentivize security researchers to investigate critical-severity vulnerabilities. Should the reward pool be depleted before the 12 month period, the programme will be paused until a top-up proposal passes Treasury governance.
Triage and Response Engineering
Running a bug bounty is not passive. The previous year's programme received over 500 submissions, the vast majority being false positives (estimated 99%). Each submission requires investigation and triage, ideally within 24 hours. Valid findings require additional time for root cause analysis, fix development, testing, and deployment.
This workload is increasing due to LLM-generated submissions, which are higher volume but lower quality - still requiring human review to identify the rare valid finding. We are working on setting up triage automations, which will help manage the increasing volume but will not eliminate the need for human review.
| # | Item | Cost |
|---|---|---|
| 1 | Triage, investigation & resolution | $100,000 |
| Total | $100,000 |
Total
| # | Item | Cost |
|---|---|---|
| 1 | Bug bounty fund (reward pool + platform) | $255,000 |
| 2 | Triage and response engineering | $100,000 |
| Total | $355,000 |
Comments (0)