Announcing the Mysten Labs Bug Bounty Program

Announcing the Mysten Labs Bug Bounty Program

We are thrilled to announce the launch of the Mysten Labs Bug Bounty Program, an initiative that empowers the global builder community to help us fortify our products against potential security threats.

At Mysten Labs, we've always placed our customers' security at the forefront of our priorities – by inviting skilled white hat hackers and cybersecurity professionals to uncover vulnerabilities in our products and innovations, we aim to foster a safer digital ecosystem while rewarding their invaluable contributions.

In this blog post, we delve into the details of our Bug Bounty Program, its objectives, and the opportunities it brings for participants and users alike.

Objectives and Scope

If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets within the scope laid out below, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

The Mysten Labs Bug Bounty Program focuses on Mysten products and innovations, and currently includes any bugs related to Sui Wallet.

To submit a suspected vulnerability, email with the following details:

  1. Detailed steps to reproduce the bug
  2. The potential impact of the bug
  3. Any potential fixes

Submissions requirements may be updated from time to time. Please make sure to review the Mysten Labs Bug Bounty Program page for up-to-date information.

Please note that the Mysten Labs Bug Bounty Program is separate from the Sui Bug Bounty Program, which focuses on vulnerabilities and security issues specifically within the Sui blockchain and encompasses aspects such as liveliness, integrity, and all components that make Sui run.

Rules and Rewards

The size of the reward will vary based on the severity of the reported vulnerabilities, with the opportunity to earn up to $30,000 per report (rewards will be paid in SUI; US persons will be paid in USD).

  1. Responsible Disclosure: If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.
  2. No Disruption: Researchers should not disrupt our services and should minimize the impact of their testing on our users and systems.
  3. No Harm: Researchers must not exploit any vulnerability to access, modify, harm, or leak data that does not belong to them.
  4. Avoid Compromising Privacy: Testing should not compromise the privacy of any individual or entity.

Reward payouts will be processed following our KYC (Know Your Customer) procedures. Everyone that is eligible for a reward must pass our KYC process. For more details, see the Bug Bounty Program page.

Happy bug hunting!