GraphTokenLockManager (Token Distribution - https://github.com/graphprotocol/token-distribution ) (Ethereum mainnet)

GraphTokenLockWallet (Token Distribution - https://github.com/graphprotocol/token-distribution ) (Ethereum mainnet)

 Indexer Allocation Optimizer (Indexer Software Stack)

Ethereum Firehose Indexer (Indexer Software Stack)

Integrator Tool Kit for Developers Maintaining Firehose

__Note on Smart Contracts:__
The Graph protocol is in the process of migrating to Arbitrum, as the preferred L2. For this reason, there are Smart Contracts deployed in multiple chains. Not all are equal, so bug bounty hunters are encouraged to check the code on both chains. Once fully migrated, this bug bounty program will be updated too, removing unnecessary ones. Assets in our testnet environment are intentionally excluded.

Occasionally, the Graph Foundation may, but is not required to, make an exception and reward disclosure of an out-of-scope impact that would have a material negative impact on the brand or goodwill of The Graph.  Whether to make such an exception, as well as the size of the reward for such an exception, is in The Graph Foundation’s sole and final discretion.  

Below, “User” includes Indexers, Delegators, Curators, Data Consumers, and Gateway Operators.

Notes related to the impact "A bug related to data determinism when syncing subgraphs and Substreams-powered subgraphs, resulting in POI (Proof of Indexing) divergence on the network (different Indexers not reaching consensus for the same indexing work)": 
   - The baseline reward for such valid bugs will always be $2.5k, up to $5k in GRT.
   - In addition to the standard Proof of Concept mandatory with every report, Hackers must find the root cause of the issue (not just a reproducible PoC). 
   - This applies to the assets in the scope above (Graph Node, Firehose, and Substreams). Should the origin of the bug be external RPC clients Graph Node connects to during subgraph syncing (geth, Erigon, etc.), the report will still be considered valid, providing a well-detailed PoC, and root cause analysis is attached ("Informational").

The Graph is an indexing protocol for querying decentralized data from multiple blockchains and storage solutions such as IPFS. It is a decentralized network comprised of multiple stakeholders incentivized to build and offer an efficient and reliable open data marketplace, through GraphQL-based APIs.

A bug that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts (not including slashing)

A bug that could cause significant (>$1M) funds being lost (not including slashing)

A bug in the canonical Indexer software stack that could result in private keys being stolen

A bug that could cause network disruption at Indexer and Gateway level, taking at least 50% of both Gateways and Indexer nodes down (Indexer software stack)

A bug that could cause incorrect payouts of query fees or indexing rewards

An economic attack other than a basic 51% governance attack that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts or being exploited

A bug that could cause network participants to be impersonated and unwanted actions being taken (eg., User funds being stolen directly from the protocol smart contracts)

Private information being stolen

An economic attack other than a basic 51% governance attack that could cause significant (>$1M) User funds to be lost or stolen directly from the protocol smart contracts

A bug that could allow impersonating other users, leading to negative impact to network participants through User funds being lost or stolen directly from the protocol smart contracts

Halt application functionality for majority of users. The impact level is determined based on the downtime of the application, ease of the fix or patch required, and the percentage of users affected (> 50%)

A bug that could lead to non-deterministic syncing of subgraph data (Graph Node only)

A bug that could halt or delay an Indexer’s ability to process a query or receive payments

A bug in the default Indexer software that could result in a “halt" or an impact on liveness

A griefing attack on the services provided or network participants

A bug in a smart contract that could result in a “halt" or an impact on liveness

A “griefing” attack on the services provided or network participants

A bug that could cause the service (Studio or The Graph’s decentralized network) functionality, throughput, or utility to be degraded but not disabled for other network participants

A bug that allows remote code execution resulting in exposure of private keys

A bug whereby an attacker does not pay sufficient GRT fees for the load they exert on the network

A vulnerability that could cause inaccurate query data to be served

A vulnerability that could cause two or more Indexers to provide different results for the same query when the approved code is run

A bug that could cause the service functionality, throughput, or utility to be degraded but not disabled

Data determinism bugs when syncing subgraphs and Substreams-powered subgraphs, resulting in POI (Proof of Indexing) divergence on the network (Indexers not in consensus for the same indexing work). Notes: https://immunefi.com/bug-bounty/thegraph/resources

A bug or an incorrect configuration of the contracts that produces incorrect outputs or behavior but does not impact participants or the protocol in a material way

Temporarily disabling user from accessing the target site

Only the following impacts are accepted within this bug bounty program. All other impacts are considered out of scope and ineligible for rewards, even if they affect something in the assets in the scope table. Occasionally, the Graph Foundation may, but is not required to, make an exception and reward disclosure of an out-of-scope impact that would have a material negative impact on the brand or goodwill of The Graph.  Whether to make such an exception, as well as the size of the reward for such an exception, is in The Graph Foundation’s sole and final discretion.  

Below, “User” includes Indexers, Delegators, Curators, Data Consumers, and Gateway Operators.

Notes related to the impact "A bug related to data determinism when syncing subgraphs and Substreams-powered subgraphs, resulting in POI (Proof of Indexing) divergence on the network (different Indexers not reaching consensus for the same indexing work)": 
   - The baseline reward for such valid bugs will always be $2.5k, up to $5k in GRT.
   - In addition to the standard Proof of Concept mandatory with every report, Hackers must find the root cause of the issue (not just a reproducible PoC). 
   - This applies to the assets in the scope above (Graph Node, Firehose, and Substreams). Should the origin of the bug be external RPC clients Graph Node connects to during subgraph syncing (geth, Erigon, etc.), the report will still be considered valid, providing a well-detailed PoC, and root cause analysis is attached ("Informational").

Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to privilege required to the likelihood of a successful exploit. 

A report will receive a single classification based on the vulnerability disclosed in the report which would yield the highest reward to the hacker.  So, for instance, if a report discloses a “Critical - Websites and Applications” vulnerability valued at the maximum $50,000 USD and a “High - Smart Contracts and Blockchain” vulnerability valued at the maximum $200,000 USD, the report will be given the classification of “High - Smart Contracts and Blockchain” because that will yield the highest reward.

Rewards for critical vulnerabilities are capped at 10% of the potential direct economic damage at the time the vulnerability is disclosed, primarily focusing on the USD value of Indexer, Delegator, or Curator assets in any impacted protocol smart contracts at the time of disclosure and the likelihood that such assets could be lost or stolen. The Graph Foundation may also in its discretion, but is not required to, take into consideration other potential economic harms such as potential damage to brand and goodwill. Indirect or speculative potential damage will not be considered.

Final reward amount for a valid report classified as High, Medium, and Low is in the sole discretion of The Graph Foundation. Though this bug bounty program considers the severity classification system, the primary baseline before further consideration is the Impacts in Scope and Assets in Scope tables, though that itself isn’t the final determinant.

To qualify for a reward, bug bounty hunters will need to provide KYC through https://thegraph.typeform.com/to/AXe74zc4 and provide all requested information and documents, including, without limitation:
  - E-mail address;
  - Name;
  - Wallet address the GRT should be sent to. This address must correspond with the same listed in the report. 

Additionally, all bug reports must come with log components, reproduction, and data about vulnerabilities to support learnings and bug fixes. This can be satisfied by providing relevant screenshots, docs, code, and steps to reproduce the issue.

__Proof of Concept required for Smart Contracts and Blockchain__
In the case of smart contract bugs, sharing a valid reproducible script as Proof of Concept (PoC) is a strict requirement. All PoCs must be submitted complying with Immunefi’s PoC Guidelines and Rules. Failing to do so will result in a report being deemed invalid by The Graph Foundation, not eligible for any reward.

Payouts are handled by __The Graph Foundation__ and are denominated in __USD__ and payable in __GRT__ based on the prevailing __USD/GRT__ conversion price at the time of payment.

The Graph

Resources & Documentation