Introducing the Intersect Bug Bounty Program: strengthening open source security

The Open Source Committee (OSC) is proud to announce the launch of the Intersect Bug Bounty Program. This new initiative reinforces our commitment to security, transparency, and community collaboration across the Cardano ecosystem.

Developed in alignment with the Paid Open Source Model (POSM), this program establishes a formal pathway for ethical hackers, security researchers, and community contributors to identify and responsibly disclose vulnerabilities in the open-source infrastructure managed by Intersect. It represents a shared effort to strengthen the systems that underpin Cardano’s decentralized future.

Building a stronger foundation

As the Cardano ecosystem continues to expand, maintaining a strong security posture is critical. The Bug Bounty Program is designed to make that possible through structured collaboration and clear accountability. It encourages responsible disclosure, rewards meaningful discoveries, and ensures that vulnerabilities are addressed swiftly and transparently.

By inviting the community to take part, Intersect aims to transform security from a background process into an open, participatory practice that reflects the decentralised principles driving Cardano’s growth.

Program highlights

Clear incentives and reward guidance - To ensure fair compensation, each severity level is associated with a reward range based on potential impact. These ranges serve as guidance rather than strict limits; in some cases, a severe issue may warrant a higher bounty based on the threat level.

Reward tiers:

• Critical: USD 10,000 – 20,000
• High: USD 5,000 – 10,000
• Medium: USD 1,000 – 5,000
• Low: Up to USD 1,000

Coverage - The program includes vulnerabilities affecting key infrastructure managed or sponsored by Intersect, including:

• Core infrastructure and backend services
• Validator-adjacent components
• Public-facing APIs and web applications
• Open-source repositories under Intersect stewardship
• Developer tools and interfaces supporting the ecosystem

Smart contracts and blockchain components are included only where explicitly stated as in scope.

What’s in scope - and what’s out?

✅ In scope

• Core infrastructure: validator nodes, backend services, developer tools 
• Smart contracts and blockchain components are maintained or explicitly included
• Public-facing APIs, web apps, and repositories we manage.

❌ Out of scope

• Social engineering, phishing, impersonation, or attacks on physical infrastructure 
• Denial of Service (DoS/DDoS) attacks that disrupt operations 
• Third-party services not directly managed by us 
• Environments not yet deployed into production, unless explicitly included.

Clear, transparent timelines

We are committed to operating the program with predictable, reliable turnaround times:

• Report acknowledgement: within 24 hours
• Verification and classification: within 7–14 days
• Fix deployment targets:
  • Critical ≈ 7 days
  • High ≈ 14 days
  • Medium/Low ≈ 30 days
• Reward payout: within 30 days of validation

How the program works

Each valid report submitted through the program will be reviewed by Intersect’s Security Council, which leads triage and remediation efforts. Oversight is provided by the Open Source Committee (OSC) to ensure alignment with community values. The Open Source Office (OSO) manages day-to-day operations, from logging reports and coordinating fixes to processing rewards.

This governance structure ensures clarity, transparency, and accountability at every stage:

• Security Council: incident management, triage, and remediation
• OSC: program oversight and governance alignment
• OSO: execution, coordination, communication, and payments

How to participate

Anyone with relevant expertise can contribute; reports must follow responsible disclosure guidelines. This means avoiding techniques that degrade services and not publicly disclosing the issue until it has been resolved.

A strong report should include:

• A clear, descriptive title
• A detailed explanation of the issue
• Steps to reproduce
• Proof-of-concept (PoC): screenshots, scripts, or video walkthroughs
• The affected component (system, contract, service, or API)
• Suggested remediation, if possible

Submissions can be made through Intersect’s private disclosure channels listed in the Knowledge Base.

What happens next

After you submit a report, you will receive an acknowledgement within 24 hours confirming receipt. From there, the Security Council will review, triage, and classify the issue, a process that typically takes between 7 and 14 days depending on complexity. Once the severity has been determined, the fix will be scheduled and deployed according to its priority level. When the vulnerability has been fully validated and resolved, the corresponding reward will be issued, usually within 30 days of validation.

A shared commitment to security

Intersect and the Open Source Committee deeply value the work of researchers who help secure the ecosystem. Every report is handled with care, and contributors are kept informed throughout the process. Where permitted, participants will also be publicly acknowledged for their contribution to strengthening Cardano.

This program is not just about finding bugs. It is about building trust, reinforcing transparency, and empowering the community to take an active role in securing the open-source tools that make Cardano possible.

Join us

If you are passionate about open-source security and have the skills to uncover vulnerabilities, we invite you to take part. Your insights and discoveries can make a meaningful difference to the infrastructure that supports millions of users worldwide  - Read more details about this program here.

Together, we can make Cardano’s open-source ecosystem stronger, safer, and more resilient for everyone.

The Open Source Committee and Open Source Office Teams