Submit a Bug
22 April 2021
Live since
KYC required
Maximum bounty

Polymath makes it easy to create, issue, and manage tokens on the blockchain. Over 200 tokens have been deployed using our Ethereum-based solution and we are now in the midst of launching mainnet of Polymesh, an institutional-grade blockchain built specifically for regulated assets. It streamlines antiquated processes and opens the door to new financial instruments by solving the inherent challenges with public infrastructure around identity, compliance, confidentiality, and governance.

For more detailed information about Polymath, you can read their whitepaper.

Polymesh currently powers their testnet, and the aim of the Bug Bounty program is to find bugs in Polymesh, to make it more robust.

This is focused around its smart contracts and is mostly concerned with the loss of user funds and the denial of service.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability severity with the following categorization:

Critical: Transaction manipulation/censorship, double-spending, POLY/POLYX minting, unauthorized token minting, staled or undermined consensus/network, governance censorship or compromise, manipulation of signing keys or master keys to gain unauthorised access to an identity.

High: Ability to use an extrinsic panic unexpectedly without proper handling, block the on-chain governance system from it’s expected behaviour, block other users from their ability to perform expected tasks (griefing).

Medium: Ability to put chain data into an unexpected state which otherwise doesn’t cause any disruption, forcing the emission of events which are incorrect.

Low: DoS’ing of the operator nodes, incorrect data being logged through events.

Smart Contracts and Blockchain

CriticalUp to USD $3,000 - USD $5,000
HighUp to USD $1,000 - USD $3,000
MediumUp to USD $250 - $USD 750
LowUp to USD $100 - USD $300
NoneUSD $0

Variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).

Payouts are handled by the Polymath team directly and are denominated in USD. However, payouts are done in USDC.

Assets in Scope


In addition to these listed above, the following repositories, sources and sites are explicitly out-of-scope of the Program:


While researching, please refrain from:

  • Denial of service in general and of Public RPC nodes
  • Attacks that consume a substantial amount of Kovan ETH, Kovan POLY or Testnet POLYX and which would otherwise be cost-prohibitive on mainnet
  • Spamming
  • Social engineering (including phishing) of Polymath staff
  • Any physical attempts against Polymath property or data centres


  • Rewards will be decided on a per case basis. This bug bounty program’s terms and conditions are at the sole discretion of Polymath Network.
  • Rewards will vary depending on the severity of the issue.
  • Disclose the bug only on the platforms approved by us (Immunefi). Do not disclose a bug or vulnerability anywhere else to the public. Doing such would disqualify it from being considered for a reward.
  • The bugs being considered for the reward are based on first come first serve basis, duplicate bugs will not be considered.
  • If you want to add more information to a provided issue, edit the original report, do not create a new submission.
  • Other variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
  • Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Polymath Network.
  • Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
  • Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission process invalid.
  • It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be eligible for a reward.
  • By participating in the Polymath Bug Bounty program, you agree to abide by the terms and condition of the program.
  • We may modify the terms or terminate this program at any time.

Terms and Conditions

These Terms and Conditions are set by Polymath Inc on their bug bounty rules page here - https://developers.polymesh.live/community/bug-bounty-rules

Please read these terms and conditions (these “Terms”), which form a legally binding contract between Polymath Inc. (“Polymath” or “us” or “our” in context) and qualifying individuals (“Participant” or “you” and “your” in context) who wish to participate in this bug bounty program (the “Program”) and identify vulnerabilities in our in-scope products (“Vulnerabilities”). Participants that submit acceptable Vulnerability Reports shall be eligible to earn a payout (a “Bounty Payout”), as determined solely at Polymath’s discretion, in accordance with these Terms.

These Terms include important clauses, including without limitation, instances where Participants may be liable to Polymath, a class action waiver, and other limitations of your rights and remedies. Disputes will be adjudicated solely in Ontario, Canada. By participating in the Program, all Participants must agree to be bound by these Terms and comply with these Terms. If an individual does not wish to, or cannot comply with these Terms, they are ineligible for a Bounty Payout and must not participate in the Program.


Polymath offers this Program as an initiative for our community members that are helping Polymath to improve its software.

The Program is not a competition. No fees are payable or purchase is necessary to participate in the Program. There is no guarantee that you will earn a Bounty Payout. The Program is provided “as-is”.

This Program is a discretionary initiative. Polymath, in its sole discretion, may modify these Terms at any time and may modify, restrict, suspend, terminate, or otherwise change any aspect of this Program, and/or the fulfillment of any Bounty Payouts at any time, as noted in Section 7 below.

You must meet the following criteria in order to be eligible to be a Participant:

  • You must be either the legal age of majority in your country or at least 14 years of age with permission from your legal guardian that you may participate in the Program;
  • When acting as a Participant, you are not violating any other agreement (i.e. employment agreement) to which you may be a party - we are not liable for any breach of such a third-party agreement by you and disclaim any knowledge of or responsibility for your conduct; and
  • You are not listed under or resident in a country that is under a Barbados, US, Canadian, European Union, or United Nations embargo or sanctions list.
  • Polymath employees, contractors or representatives, or a family member of a Polymath employee, contractor or representative, are not eligible to participate in the Program.

These Terms are the entire agreement between you and Polymath for your participation in the Program and these Terms will supersede any prior agreement between you and us.

A Participant may be required to provide Polymath with proof of compliance and eligibility in the form requested in regards to any obligation of the Participant hereunder.


To set up the developer environment, and get started, please visit: https://github.com/PolymathNetwork/Polymesh

To submit a Vulnerability, you must complete and submit a bug report through the Immunefi bug submission link at the top of this document.

All feedback, unsolicited and solicited, Reports, and any materials that you submit to us as part of the Program are subject to the Intellectual Property, Grants, and Ownership rights in Section 8 below.

(2.1) Scope

Polymath’s main product is blockchain related source code (located in our GitHub repositories, primarily at: https://github.com/PolymathNetwork/Polymesh) and any associated released binaries. Polymath’s websites or services are not part of the Program. Please see the Assets in Scope table above for the list of libraries and items within the scope of the Program. If you believe you have found a Vulnerability in Polymath’s blockchain related source code and associated released binaries that are within scope, we encourage you to let us know right away by submitting a Report. Before submitting a Report, please review these Terms, including our Responsible Investigation and Reporting requirements (section 2.2 below), Reward Details (in the reward table above), and the Program Scope (in the Assets in Scope table above).

(2.2) Responsible Investigation and Reporting

For you to participate in the Program, we require that you:

  • Meet the eligibility requirements in section 1 above.
  • Do not violate the privacy of other users and not engage in actions to cause disruptions to others, including (but not limited to) unauthorized access to or destruction of data.
  • Do not violate any applicable laws or regulations.
  • Do not share content that is offensive, inappropriate, graphic, or spam.
  • Do not harm (by planting a vulnerability or introducing a virus or threat) or defraud Polymath or its users during your research; you should make a good faith effort to not interrupt or degrade our services.
  • Do not target our physical security measures (attempts against Polymath property or data centers), or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
  • Do not engage in attacks that consume a substantial amount of Kovan ETH, Kovan POLY, or Testnet POLYX which would be otherwise cost-prohibitive on mainnet.
  • Do not exploit a Vulnerability that you discover for any reason other than for testing purposes.
  • Do not introduce any intellectual property to us in any way to which you do not have a sublicense right;
  • Report Vulnerabilities only to us and not to anyone else.
  • Do not take credit for anyone else’s work in respect of a Report.
  • Do not submit Reports that make use of information that is fraudulent, deceptive, forged, altered, incomplete, lost, late, misdirected, mutilated, illegitimate, incomprehensible, garbled, or generated by a macro, bot, or other automated means.
  • Do not damage or cause interruption of the Program and/or prevent others from participating in or engaging in the Program.
  • Comply with these Terms.

(2.3) Safe Harbor Provisions

These Terms provide you with authorization to test our in-scope code and technologies (see 2.1 above and the Assets in Scope section for in-scope and out-of-scope activities). These Terms DO NOT provide you authorization to intentionally access Polymath data, unauthorized access of another person’s data or engage in actions that are not permitted in section 2.2 above and are out-of-scope for purposes of the Program.

These Terms DO NOT provide authorization in respect of any third-party (i.e., a party other than Polymath or its affiliates) networks, systems, information, applications, products, or services.

Those who do not abide by these Terms and the instructions of Polymath and its representatives and provide all required information may, in Polymath’s sole discretion, be disqualified and any purported participation by such person deemed void. If a Participant attempts or succeeds in abusing the Program, Polymath may (in its sole discretion) disqualify such Participant from participation in this Program and pursue other remedial actions.

You should retain a copy of your Report and records of your participation. Polymath is not responsible for providing a copy or record of any element of your participation.

(2.4) Publicity

Polymath may offer features allowing Participants to publicly display certain information about their participation in this Program within a researcher profile, such as profile information, types of Vulnerabilities reported, and other statistics. If you choose to share your information through this feature, this information will be public and others may use it or share it with third parties. Polymath may also feature you or your Report in any commercially reasonable manner.

As a condition of participating in this Program, pursuant to the terms of our Privacy Policy, Participants give Polymath and its agents permission to share their name, address, and other contact or Bounty Payout information to third parties (such as payment services) for the purpose of administering this Program and complying with applicable laws, regulations, and rules. If you choose not to give your consent, you must notify Polymath in writing at bugbounty@polymath.network, in which case Polymath may, in its sole discretion, disqualify you either from receiving the applicable Bounty Payout(s), from the Program, or both.


We use email and other electronic means to stay in touch with Participants. You agree that when you provide us your email address or personally identifying information (e.g. name, address) during or prior to access or involvement in the Program, you: (a) consent to receive communications from us in electronic formats, including via the email address you have submitted or other agreed upon contact methods; (b) can opt-out from receiving communication from us at any time; and (c) agree that these Terms, agreements, notices, disclosures and other communications that we provide to you electronically satisfy any legal requirement that such communications would satisfy if they were in writing and physically presented to you.

Public announcements regarding the Program will be made in the Polymath Developer Discord Channel. Notifications in connection with submitted Reports, Bounty Payouts, and your participation in the Program will be made by email using your email address provided. It is each Participant’s sole responsibility to receive and monitor those methods to timely receive, review, and respond as needed to notifications. Failure to timely respond or complete any of the steps set forth in the notification and verification procedures for any reason, including filtering or failure by Participant to notice or accept a communication from Polymath or its representative, may result in disqualification of such Participant from receiving the Bounty Payout. Polymath reserves the right to contact Participants for verification purposes and administration of the Program. All Polymath’s decisions are final and binding in all matters relating to the Program.


Participants will receive Bounty Payouts upon satisfying criteria for such payouts on their Reports, subject to verification. See the reward table for current information regarding Bounty Payouts, including how Bounty Payouts are calculated (collectively, “Rewards Details”). We may change the Bounty Payouts and the manner in which they are calculated at any time. All Bounty Payout details not specified in these Terms (including the reward table) will be determined at Polymath’s sole discretion. Bounty Payouts are not the property of any Participant until such payouts are actually received by a Participant.

Bounty Payouts are paid in United States Dollars or USDC on Ethereum and shall be sent using the details provided by Participant as specified in the reward table. Polymath is not responsible for a Participant’s inability to accept or receive a Bounty Payout for any reason. We are not able to issue Bounty Payouts to Participants who are in violation of a material term of these Terms, including being on a sanctions list or that reside in countries on a sanctions list.

Any taxes (federal, national, state, prefectural, territorial, provincial, and/or local) and other costs and expenses associated with Bounty Payout acceptance or receipt will be the sole responsibility of the Participant. No more than the stated Bounty Payout will be awarded. Polymath will not replace any lost or stolen Bounty Payouts or any Bounty Payouts that are undeliverable or do not reach the Participant because of an incorrect or changed address or contact information. If a Participant does not accept the entire Bounty Payout, the unaccepted part of the Bounty Payout will be forfeited, and Polymath will have no further obligation with respect to that Bounty Payout or portion of the Bounty Payout. Participants are strictly prohibited from selling, auctioning, trading, or otherwise transferring their entitlements to Bounty Payouts. Polymath may be unable to make Bounty Payouts (for example, if prevented by a government or regulatory agency), impractical (e.g. excessive transfer costs, duties, or taxes), or impossible for Polymath to award to Participants who live in certain jurisdictions. Polymath reserves the right, but not the obligation, to cancel the payment of such Bounty Payout in such circumstance. Each Participant waives the right to assert as a cost of receiving any Bounty Payout any and all costs of verification and costs to claim the Bounty Payout and any liability and publicity which might arise from claiming or seeking to claim said Bounty Payout.

Participants may be required to respond to an initial notification from Polymath within forty-eight (48) hours and be required to provide necessary details so Polymath can make the Bounty Payouts.


Participant will be liable for and indemnify Polymath, its subcontractors, and their respective directors, officers, and representatives (“Polymath Indemnitees”) against any losses which Polymath Indemnitees may incur that arise from Participant’s breach of these Terms, including losses arising from Participants’ gross negligence, willful misconduct and breach of law.

In no event will Polymath be liable to you for any loss of use, revenue or profit or loss of data or for any consequential, incidental, indirect, exemplary, special, aggravated, or punitive damages whether arising out of breach of contract, tort (including negligence) or otherwise, regardless of whether such damage was foreseeable and whether or not Polymath had been advised of the possibility of such damages.

Notwithstanding anything else set out under these Terms, our cumulative liability to you under these Terms (apart from payment of Bounty Payout to which you may be entitled) shall be $10. Participant further waives all rights to have damages multiplied or increased.


This Program, these Terms, and any dispute arising under or related thereto (whether for breach of contract, tortious conduct, or otherwise) will be governed, construed, and interpreted under the laws of the Province of Ontario, Canada and the federal laws of Canada applicable therein, without reference or giving effect to its conflicts of law principles or rules that would cause the application of any other laws. Any legal actions, suits, or proceedings related to this Program (whether for breach of contract, tortious conduct, or otherwise) will be brought exclusively in the courts of the Province of Ontario and each Participant irrevocably accepts, submits, and consents to the exclusive jurisdiction and venue of these courts with respect to any legal actions, suits, or proceedings arising out of or related to this Program. You waive any and all objections to jurisdiction and venue in these courts and hereby submit to the jurisdiction of the courts of the Province of Ontario, Canada.

Except where prohibited, as a condition of participating in this Program, each Participant agrees that between the parties, any and all disputes, claims, and causes of action arising out of or connected with this Program, or the Bounty Payout awarded must be resolved individually, without resort to any form of class action.


Polymath reserves the right to modify, restrict, suspend, or otherwise change any aspect of the Program, and/or these Terms from time-to-time, for any reason, including any reason beyond Polymath’s control, and within its sole discretion, including without limitation, the manner in which Participants participate, the manner in which Bounty Payouts are calculated, with reasonable notice to Participants. If you have submitted any Vulnerability to us already, we will notify you of changes to these Terms via an email. The updated terms will always be available at https://developers.polymesh.live/community/bug-bounty-rules. The updated Terms will be effective as of the time of posting, or upon such later date as specified by Polymath. The updated Terms will apply to your participation in the Program beginning as of their effective date, or upon such later date, or by such other method as specified by Polymath. If you do not agree to such an amendment, you must cease your participation in the Program immediately. Except where exigencies require a shorter time frame, we reserve the right to terminate the Program completely by providing you with thirty (30) days’ notice of the impending termination.

We may terminate your engagement with us and any entitlement to any Bounty Payout if you violate any part of these Terms. Polymath reserves the right to restrict or void participation from any identifiable source if any suspicious participation is detected or any violation of these Terms is suspected or detected. Polymath reserves the right, in its sole discretion, to void the participation of any Participant who Polymath believes has attempted to tamper with or impair the administration, security, fairness, or proper execution of the Program. If Polymath determines at any time, in its sole discretion, that a Participant is engaging in behavior that Polymath deems obnoxious, deceptive, inappropriate, threatening, illegal or that is intended to annoy, abuse, or harass any other person, Polymath reserves the right to disqualify that Participant.

Sections 4, 5, 6, 8, 9, 10 and this clause shall survive termination of the Program.


(8.1) Intellectual Property Rights and Ownership

We retain all intellectual property rights in our products including, without limitation, all our source code and associated related binaries. Nothing herein shall grant you any right in any part of our products, or any improvement or derivative in any Report you provide us. You agree that to the extent required to abide by these Terms, you will waive any and all rights that may otherwise accrue to you in any Report and agree that we will not be obliged to license back any derivative or improvements in any Report to you.

(8.2) Grants to Polymath

Subject to applicable Bounty Payout, you grant a royalty-free, fully paid-up, perpetual, non-revocable, exclusive, worldwide, transferable, and sub-licensable license in respect of any Report and any feedback provided to Polymath and agree that Polymath hereby has unrestricted rights to utilize the Report and feedback, at its sole discretion. We will not have an obligation to utilize any item you provide us. You waive any compensation related to incorporation of any materials in a Report or any feedback provided to us into our products and services. You agree that we may also utilize your personal information in accordance with our Privacy Policy available at https://polymath.network/privacy-policy.


The Polymath Indemnitees are not responsible and/or liable for any of the following, whether caused by a Polymath Indemnitee, the Participant, or by human error: participation submitted by illegitimate means (such as, without limitation, by an automated computer program); any lost, late, incomplete, illegible, unintelligible, garbled, mutilated, or misdirected participation, email, mail, or Program-related correspondence or materials or postage-due mail; any error, omission, interruption, defect or delay in transmission or communication; viruses or technical or mechanical malfunctions; interrupted or unavailable cable or satellite systems; errors, typos, or misprints in these Terms, any Program-related advertisements, or other materials; failures of electronic equipment, computer hardware, or software; lost or unavailable network connections or failed, incorrect, incomplete, inaccurate, garbled or delayed electronic communications or participation information. Polymath Indemnitees are not responsible for electronic communications that are undeliverable or do not reach the Participant as a result of any form of active or passive filtering of any kind or insufficient space in a Participant’s email inbox to receive email messages. Polymath Indemnitees are not responsible, and may disqualify you, if your email address or other contact information does not work or is changed without prior written notice to Polymath. Without limiting any other provision in these Terms, the Polymath Indemnitees are not responsible or liable to any Participant (or any person claiming through such Participant) for failure to supply the Bounty Payout or any part thereof in the event that any of the Program activities or Polymath Indemnitees’ operations or activities are affected by any cause or event beyond the sole and reasonable control of the applicable Polymath Indemnitee (as determined by Polymath in its sole discretion), including, without limitation, by reason of any force majeure event, act of God, equipment failure, threatened or actual terrorist acts, air raid, act of public enemy, war (declared or undeclared), civil disturbance, insurrection, riot, epidemic, pandemic, public health crisis, fire, explosion, earthquake, flood, hurricane, unusually severe weather, blackout, embargo, labor dispute or strike (whether legal or illegal), labor or material shortage, transportation interruption of any kind, work slow-down, any law, rule, regulation, action, order, or request adopted, taken, or made by any governmental or quasi-governmental entity (whether or not such governmental act proves to be invalid), or any other cause, whether or not specifically mentioned above.


Polymath’s clock will be the official timekeeper for this Program. Polymath’s decisions will be final in all matters relating to this Program, including interpretation of these Terms and awarding of the Bounty Payouts.

Polymath’s failure or decision not to enforce any provision in these Terms will not constitute a waiver of that or any other provision. In the event there is an alleged or actual ambiguity, discrepancy, or inconsistency between disclosures or other statements contained in any Program-related materials and/or these Terms (including any alleged ambiguity, discrepancy, or inconsistency within these Terms), it will be resolved by Polymath in its sole discretion. Participants waive any right to claim ambiguity in the Program or these Terms.

The invalidity or unenforceability of any provision of these Terms will not affect the validity or enforceability of any other provision. In the event that any provision is determined to be invalid or otherwise unenforceable or illegal, these Terms will otherwise remain in effect and will be construed in accordance with their terms as if the invalid or illegal provision were not contained herein.

Find the details Rules, T&C of the bug bounty program at Polymath D eveloper site: https://developers.polymesh.live/community/bug-bounty-rules