Snowbridge 2026/2027 Bug Bounty Proposal

This proposal requests funding to renew the Snowbridge bug bounty programme, which expires on 1 July 2026. Snowbridge secures ~$35M in TVL and processes $10M–$20M in monthly volume - a vulnerability could result in catastrophic loss of user funds and severe reputational damage to the Polkadot ecosystem.

The previous programme, run on HackenProof for one year, was funded by the Snowbridge team out of their own milestones. It received over 500 submissions, of which approximately 5 were valid findings that led to fixes ($22,300 paid out with Hackenproof, $15,000 paid to a security report logged before the Hackenproof programme). The programme must be renewed to ensure proper security coverage.

The total request is $355,000, covering 12 months of bug bounty operations.

Programme Scope

In Scope

The bug bounty covers all Snowbridge on-chain code (Ethereum contracts and Snowbridge Polkadot on-chain code) Scope can be viewed at our Hackenproof programme: https://hackenproof.com/programs/snowbridge-on-chain-code

Out of Scope

Off-chain relayers
Frontend / dApp
SDK and tooling

Severity Levels and Rewards

Severity	Description	Reward
Critical	Direct loss of user funds, consensus bypass, unauthorized minting/burning	$30,000 – $75,000
High	Temporary freezing of funds, griefing attacks with material cost to users	$6,000 – $20,000
Medium	Non-critical logic errors, state inconsistencies that don't risk funds	$2,000 – $5,000
Low	Informational findings, gas optimizations, minor code quality issues	$200 – $1,000

Programme Operations

Platform

The programme will continue on HackenProof, which hosted the previous year's programme.

Reporting

Bi-yearly reports to the community on:

Number of submissions received
Number of valid findings and their severity
Rewards paid out
Remaining fund balance

Cost Breakdown

Bug Bounty Fund

#	Item	Cost
1	Bug bounty reward pool (12 months)	$250,000
2	HackenProof platform fee (12 months)	$5,000
	Total	$255,000

The reward pool covers payouts for valid findings. In 10 months, we will liaise with the Treasury to determine plans for the next year of Snowbridge and unspent funds will either carry-over into the next year's pool or be returned to the treasury. The pool must be large enough to credibly incentivize security researchers to investigate critical-severity vulnerabilities. Should the reward pool be depleted before the 12 month period, the programme will be paused until a top-up proposal passes Treasury governance.

Triage and Response Engineering

Running a bug bounty is not passive. The previous year's programme received over 500 submissions, the vast majority being false positives (estimated 99%). Each submission requires investigation and triage, ideally within 24 hours. Valid findings require additional time for root cause analysis, fix development, testing, and deployment.

This workload is increasing due to LLM-generated submissions, which are higher volume but lower quality - still requiring human review to identify the rare valid finding. We are working on setting up triage automations, which will help manage the increasing volume but will not eliminate the need for human review.

#	Item	Cost
1	Triage, investigation & resolution	$100,000
	Total	$100,000

Total

#	Item	Cost
1	Bug bounty fund (reward pool + platform)	$255,000
2	Triage and response engineering	$100,000
	Total	$355,000

The payout is a single payment on 1 Aug 2026.

Edited

Snowbridge is asking for money to keep its bug bounty program going for another year.
A bug bounty program pays people to find and report security problems in computer code.
Snowbridge is important because it protects a lot of money and handles millions of dollars every month.
Last year, the program got over 500 reports, but only a few were real problems that needed fixing.
The program needs $355,000. Most of this money ($250,000) is a reward pool to pay people who find bugs.
Some of the money ($100,000) is to pay engineers who check all the bug reports to see which ones are real.
The program will run on a website called HackenProof, just like it did last year.
The team will tell the community twice a year about how many bugs were found and how much money was paid out.

Source

This proposal requests funding to renew the Snowbridge bug bounty programme, which expires on 1 July 2026. Snowbridge secures ~$35M in TVL and processes $10M–$20M in monthly volume - a vulnerability could result in catastrophic loss of user funds and severe reputational damage to the Polkadot ecosystem.

The previous programme, run on HackenProof for one year, was funded by the Snowbridge team out of their own milestones. It received over 500 submissions, of which approximately 5 were valid findings that led to fixes ($22,300 paid out with Hackenproof, $15,000 paid to a security report logged before the Hackenproof programme). The programme must be renewed to ensure proper security coverage.

The total request is $355,000, covering 12 months of bug bounty operations.

Programme Scope

In Scope

The bug bounty covers all Snowbridge on-chain code (Ethereum contracts and Snowbridge Polkadot on-chain code) Scope can be viewed at our Hackenproof programme: https://hackenproof.com/programs/snowbridge-on-chain-code

Out of Scope

Off-chain relayers
Frontend / dApp
SDK and tooling

Severity Levels and Rewards

Severity	Description	Reward
Critical	Direct loss of user funds, consensus bypass, unauthorized minting/burning	$30,000 – $75,000
High	Temporary freezing of funds, griefing attacks with material cost to users	$6,000 – $20,000
Medium	Non-critical logic errors, state inconsistencies that don't risk funds	$2,000 – $5,000
Low	Informational findings, gas optimizations, minor code quality issues	$200 – $1,000

Programme Operations

Platform

The programme will continue on HackenProof, which hosted the previous year's programme.

Reporting

Bi-yearly reports to the community on:

Number of submissions received
Number of valid findings and their severity
Rewards paid out
Remaining fund balance

Cost Breakdown

Bug Bounty Fund

#	Item	Cost
1	Bug bounty reward pool (12 months)	$250,000
2	HackenProof platform fee (12 months)	$5,000
	Total	$255,000

The reward pool covers payouts for valid findings. In 10 months, we will liaise with the Treasury to determine plans for the next year of Snowbridge and unspent funds will either carry-over into the next year's pool or be returned to the treasury. The pool must be large enough to credibly incentivize security researchers to investigate critical-severity vulnerabilities. Should the reward pool be depleted before the 12 month period, the programme will be paused until a top-up proposal passes Treasury governance.

Triage and Response Engineering

Running a bug bounty is not passive. The previous year's programme received over 500 submissions, the vast majority being false positives (estimated 99%). Each submission requires investigation and triage, ideally within 24 hours. Valid findings require additional time for root cause analysis, fix development, testing, and deployment.

This workload is increasing due to LLM-generated submissions, which are higher volume but lower quality - still requiring human review to identify the rare valid finding. We are working on setting up triage automations, which will help manage the increasing volume but will not eliminate the need for human review.

#	Item	Cost
1	Triage, investigation & resolution	$100,000
	Total	$100,000

Total

#	Item	Cost
1	Bug bounty fund (reward pool + platform)	$255,000
2	Triage and response engineering	$100,000
	Total	$355,000

The payout is a single payment on 1 Aug 2026.

Edited