This proposal requests funding to renew the Snowbridge bug bounty programme, which expires on 1 July 2026. Snowbridge secures ~$35M in TVL and processes $10M–$20M in monthly volume - a vulnerability could result in catastrophic loss of user funds and severe reputational damage to the Polkadot ecosystem.
The previous programme, run on HackenProof for one year, was funded by the Snowbridge team out of their own milestones. It received over 500 submissions, of which approximately 5 were valid findings that led to fixes ($22,300 paid out with Hackenproof, $15,000 paid to a security report logged before the Hackenproof programme). The programme must be renewed to ensure proper security coverage.
The total request is $355,000, covering 12 months of bug bounty operations.
The bug bounty covers all Snowbridge on-chain code (Ethereum contracts and Snowbridge Polkadot on-chain code) Scope can be viewed at our Hackenproof programme: https://hackenproof.com/programs/snowbridge-on-chain-code
It also covers setting up automations and first pass triage using AI tools, to deal with the increasing number of findings that AI tools have supported.
| Severity | Description | Reward |
|---|---|---|
| Critical | Direct loss of user funds, consensus bypass, unauthorized minting/burning | $30,000 – $75,000 |
| High | Temporary freezing of funds, griefing attacks with material cost to users | $6,000 – $20,000 |
| Medium | Non-critical logic errors, state inconsistencies that don't risk funds | $2,000 – $5,000 |
| Low | Informational findings, gas optimizations, minor code quality issues | $200 – $1,000 |
The programme will continue on HackenProof, which hosted the previous year's programme.
Bi-yearly reports to the community on:
| # | Item | Cost |
|---|---|---|
| 1 | Bug bounty reward pool (12 months) | $250,000 |
| 2 | HackenProof platform fee (12 months) | $5,000 |
| Total | $255,000 |
The reward pool covers payouts for valid findings. In 10 months, we will liaise with the Treasury to determine plans for the next year of Snowbridge and unspent funds will either carry-over into the next year's pool or be returned to the treasury. The pool must be large enough to credibly incentivize security researchers to investigate critical-severity vulnerabilities. Should the reward pool be depleted before the 12 month period, the programme will be paused until a top-up proposal passes Treasury governance.
Running a bug bounty is not passive. The previous year's programme received over 500 submissions, the vast majority being false positives (estimated 99%). Each submission requires investigation and triage, ideally within 24 hours. Valid findings require additional time for root cause analysis, fix development, testing, and deployment.
This workload is increasing due to LLM-generated submissions, which are higher volume but lower quality - still requiring human review to identify the rare valid finding. We are working on setting up triage automations, which will help manage the increasing volume but will not eliminate the need for human review.
| # | Item | Cost |
|---|---|---|
| 1 | Triage, investigation & resolution | $100,000 |
| Total | $100,000 |
| # | Item | Cost |
|---|---|---|
| 1 | Bug bounty fund (reward pool + platform) | $255,000 |
| 2 | Triage and response engineering | $100,000 |
| Total | $355,000 |
The payout is a single payment on 1 Aug 2026.
This proposal requests funding to renew the Snowbridge bug bounty programme, which expires on 1 July 2026. Snowbridge secures ~$35M in TVL and processes $10M–$20M in monthly volume - a vulnerability could result in catastrophic loss of user funds and severe reputational damage to the Polkadot ecosystem.
The previous programme, run on HackenProof for one year, was funded by the Snowbridge team out of their own milestones. It received over 500 submissions, of which approximately 5 were valid findings that led to fixes ($22,300 paid out with Hackenproof, $15,000 paid to a security report logged before the Hackenproof programme). The programme must be renewed to ensure proper security coverage.
The total request is $355,000, covering 12 months of bug bounty operations.
The bug bounty covers all Snowbridge on-chain code (Ethereum contracts and Snowbridge Polkadot on-chain code) Scope can be viewed at our Hackenproof programme: https://hackenproof.com/programs/snowbridge-on-chain-code
It also covers setting up automations and first pass triage using AI tools, to deal with the increasing number of findings that AI tools have supported.
| Severity | Description | Reward |
|---|---|---|
| Critical | Direct loss of user funds, consensus bypass, unauthorized minting/burning | $30,000 – $75,000 |
| High | Temporary freezing of funds, griefing attacks with material cost to users | $6,000 – $20,000 |
| Medium | Non-critical logic errors, state inconsistencies that don't risk funds | $2,000 – $5,000 |
| Low | Informational findings, gas optimizations, minor code quality issues | $200 – $1,000 |
The programme will continue on HackenProof, which hosted the previous year's programme.
Bi-yearly reports to the community on:
| # | Item | Cost |
|---|---|---|
| 1 | Bug bounty reward pool (12 months) | $250,000 |
| 2 | HackenProof platform fee (12 months) | $5,000 |
| Total | $255,000 |
The reward pool covers payouts for valid findings. In 10 months, we will liaise with the Treasury to determine plans for the next year of Snowbridge and unspent funds will either carry-over into the next year's pool or be returned to the treasury. The pool must be large enough to credibly incentivize security researchers to investigate critical-severity vulnerabilities. Should the reward pool be depleted before the 12 month period, the programme will be paused until a top-up proposal passes Treasury governance.
Running a bug bounty is not passive. The previous year's programme received over 500 submissions, the vast majority being false positives (estimated 99%). Each submission requires investigation and triage, ideally within 24 hours. Valid findings require additional time for root cause analysis, fix development, testing, and deployment.
This workload is increasing due to LLM-generated submissions, which are higher volume but lower quality - still requiring human review to identify the rare valid finding. We are working on setting up triage automations, which will help manage the increasing volume but will not eliminate the need for human review.
| # | Item | Cost |
|---|---|---|
| 1 | Triage, investigation & resolution | $100,000 |
| Total | $100,000 |
| # | Item | Cost |
|---|---|---|
| 1 | Bug bounty fund (reward pool + platform) | $255,000 |
| 2 | Triage and response engineering | $100,000 |
| Total | $355,000 |
The payout is a single payment on 1 Aug 2026.
Threshold
Threshold