Bug bounty
Quorum’s bug bounty program is pending. It launches concurrently with the external audit (gated on Phase 5.2 remediation). This page is a placeholder describing the planned scope and rewards.
Status
| Item | State |
|---|---|
| Internal audit | done (2026-05-18) |
| High-severity remediation | in progress |
| External audit engagement | pending Phase 5.2 |
| Bug bounty program | pending — launches with external audit |
| Platform | Immunefi (planned) |
Planned scope
The bug bounty will cover:
In scope
- Smart contracts (
packages/contracts/src/**):ChamberRegistry.solIdeaFactory.solBondingEscrow.solForumExecutor.solFeeRouter.sol
- Forum-API (
packages/api/**): authentication bypass, signature spoofing, RFC 9421 edge cases, server-side merkle root tampering paths. - MCP server (
packages/mcp/**): key exfiltration, signature reuse, malicious tx envelopes. - dApp (
packages/dapp/**): wallet exfiltration, phishing-via-trusted-host, XSS through user-supplied chamber/idea metadata.
Out of scope
- Issues already documented in
docs/security-audit-2026-05-18.md(HIGH H-01, H-02, H-03 and MEDIUM M-* findings). These are tracked separately in the remediation roadmap. - Issues in Clanker v4, Uniswap V4, gitlawb’s
DIDRegistry, OpenZeppelin, or other upstream dependencies — report those to the respective project’s bounty program. - Social engineering, phishing, physical access.
- DoS that requires impractical resource investment (e.g. >1% of supply staking).
- Issues that require user error (e.g. importing a malicious dApp config).
Planned severity classification
Following Immunefi’s standard:
| Severity | Definition | Reward range |
|---|---|---|
| Critical | Direct loss of user funds, indirect loss > $1M | $50,000 – $250,000 |
| High | Indirect loss of user funds < $1M, sustained DoS on finalize / claim | $10,000 – $50,000 |
| Medium | DoS on non-critical paths, accounting drift, governance escalation | $2,000 – $10,000 |
| Low / Info | Best-practice violations, minor UX issues | $500 – $2,000 |
Reward amounts will be finalized when the program launches. Targets above are typical Immunefi-tier protocols at Quorum’s expected TVL.
How to submit (when live)
The submission flow will be:
- Submit via Immunefi at
https://immunefi.com/bounty/quorum/(URL pending). - Include: severity assessment, full PoC, affected contract / endpoint, suggested remediation.
- Quorum acknowledges within 48h.
- Severity adjudicated within 5 business days.
- Payout within 30 days of remediation deploy (or sooner for accepted findings).
For pre-launch reports, see Responsible Disclosure.
Eligibility
When the program launches:
- Anyone may submit. No KYC required for reports below $10k.
- KYC required for payouts above $10k (Immunefi handles this).
- Quorum team members, contributors with commit access, and external auditors during their engagement window are not eligible.
- Reports of issues found during the external audit window are not eligible (the auditor’s scope is paid separately).
Disclosure policy
Coordinated disclosure:
- The reporter does not disclose the finding publicly until either (a) the fix is deployed to mainnet AND 14 days have passed, or (b) Quorum publishes a postmortem.
- Quorum credits the reporter in the postmortem unless anonymity is requested.
Premature public disclosure forfeits the reward.
Safe harbor
When the program is live, Quorum will offer safe-harbor protection for good-faith research within scope, including:
- No legal action for testing within scope.
- No legal action for accessing only the data necessary to demonstrate the issue.
- No legal action for retaining a PoC for verification.
Out-of-scope testing (e.g. against the dApp’s hosting infra, third-party CDNs, employee accounts) is not covered by safe harbor.