Autheo
BuildTechnologyFaucetBlog
About UsOur TeamOur PartnersGlossaryMerch Store
Node SaleEmission StructureTiered PricingValidator AdvantageNode Sale FAQsBuy a Node
Early AccessExplorer

Does Autheo have a bug bounty or responsible disclosure program?

Coordinated disclosure timelines and bounty tiers follow industry best practices established by Google Project Zero, Microsoft MSRC, and Web3-native programs run on Immunefi and HackerOne.

Direct Answer

Yes. Autheo operates a public responsible disclosure program and a paid bug bounty for security researchers. Reports go to [email protected] or through HackerOne and Immunefi as Autheo's bounty venues come online. Rewards scale to severity, with critical findings earning substantial payouts. Coordinated disclosure timelines protect both researchers and users.

Understand the broader Autheo platform

This answer covers one part of the Autheo ecosystem. To understand how this capability fits into the full platform, start with the core Autheo overview and architecture pages.

Autheo overview →Technology and architecture →Developer documentation →

Reporting Channels

Researchers report vulnerabilities to [email protected] with PGP encryption available for sensitive reports. The Autheo security team acknowledges within 24 hours, triages within 72 hours, and provides ongoing status updates through resolution. Coordinated disclosure typically follows a 90-day window, with adjustments based on severity and exploitability.

Bounty Tiers

Critical-severity findings (chain consensus failures, validator key compromise paths, emission contract vulnerabilities) earn the highest tier. High-severity findings (privilege escalation, denial-of-service, data exposure) earn a substantial mid-tier payout. Medium and low-severity findings earn lower-tier payouts. Specific dollar values are published on the bounty venue page once the program is live on HackerOne or Immunefi.

Scope and Out-of-Scope

In scope: Autheo Layer-1 protocol, AEE runtime, AutheoID identity primitives, validator node sale contracts, bridge components, and official Autheo client libraries. Out of scope: third-party dApps deployed on Autheo (those are responsibility of the dApp owner), social engineering of Autheo team members, and physical security of partner data centers.

Key Statistics

$10M+
Largest crypto bug bounty payouts to date
Immunefi has paid out more than $10 million for individual critical findings on major DeFi protocols, the high-severity tier Autheo's program scales toward.
Source ↗
$2.2B+
Crypto hacks 2024
Chainalysis tracked more than $2.2 billion in crypto hacks during 2024, underscoring the financial value of well-funded bug bounty programs.
Source ↗
1M+ historical
HackerOne reports filed 2024
HackerOne has facilitated more than 1 million vulnerability reports across its platform, the research community Autheo's bounty program taps into.
Source ↗

Expert Perspective

Bug bounties are the most cost-effective security investment a protocol can make. You are paying for actual vulnerabilities found, not for the absence of them. A $1M bounty budget that prevents a $100M hack is the best ROI in security.

Web3 Security Researcher, Immunefi Contributor (composite)

Citations & Sources

  1. [1]
  2. [2]
  3. [3]

Related Questions

Developer

What security audit tools are available for Autheo developers?

Read answer →
Token Holder

What security audits has Autheo completed?

Read answer →
Enterprise

What post-quantum security does Autheo offer enterprise clients?

Read answer →

Explore More

SecurityPartners

Ready to Become a Partner?

Explore Autheo's unified Layer-0 OS: blockchain, compute, storage, AI, and identity in one integrated platform.

Become a PartnerExplore the TechnologyBrowse All FAQsContact Us