The Open Source Committee (OSC) is proud to announce the launch of the Intersect Bug Bounty Program. This new initiative reinforces our commitment to security, transparency, and community collaboration across the Cardano ecosystem.
Developed in alignment with the Paid Open Source Model (POSM), this program establishes a formal pathway for ethical hackers, security researchers, and community contributors to identify and responsibly disclose vulnerabilities in the open-source infrastructure managed by Intersect. It represents a shared effort to strengthen the systems that underpin Cardano’s decentralized future.
As the Cardano ecosystem continues to expand, maintaining a strong security posture is critical. The Bug Bounty Program is designed to make that possible through structured collaboration and clear accountability. It encourages responsible disclosure, rewards meaningful discoveries, and ensures that vulnerabilities are addressed swiftly and transparently.
By inviting the community to take part, Intersect aims to transform security from a background process into an open, participatory practice that reflects the decentralised principles driving Cardano’s growth.
Clear incentives and reward guidance – To ensure fair compensation, each severity level is associated with a reward range based on potential impact. These ranges serve as guidance rather than strict limits; in some cases, a severe issue may warrant a higher bounty based on the threat level.
Reward tiers:
Coverage – The program includes vulnerabilities affecting key infrastructure managed or sponsored by Intersect, including:
Smart contracts and blockchain components are included only where explicitly stated as in scope.
What’s in scope – and what’s out?
We are committed to operating the program with predictable, reliable turnaround times:
Each valid report submitted through the program will be reviewed by Intersect’s Security Council, which leads triage and remediation efforts. Oversight is provided by the Open Source Committee (OSC) to ensure alignment with community values. The Open Source Office (OSO) manages day-to-day operations, from logging reports and coordinating fixes to processing rewards.
This governance structure ensures clarity, transparency, and accountability at every stage:
Anyone with relevant expertise can contribute; reports must follow responsible disclosure guidelines. This means avoiding techniques that degrade services and not publicly disclosing the issue until it has been resolved.
A strong report should include:
Submissions can be made through Intersect’s private disclosure channels listed in the Knowledge Base.
After you submit a report, you will receive an acknowledgement within 24 hours confirming receipt. From there, the Security Council will review, triage, and classify the issue, a process that typically takes between 7 and 14 days depending on complexity. Once the severity has been determined, the fix will be scheduled and deployed according to its priority level. When the vulnerability has been fully validated and resolved, the corresponding reward will be issued, usually within 30 days of validation.
Intersect and the Open Source Committee deeply value the work of researchers who help secure the ecosystem. Every report is handled with care, and contributors are kept informed throughout the process. Where permitted, participants will also be publicly acknowledged for their contribution to strengthening Cardano.
This program is not just about finding bugs. It is about building trust, reinforcing transparency, and empowering the community to take an active role in securing the open-source tools that make Cardano possible.
If you are passionate about open-source security and have the skills to uncover vulnerabilities, we invite you to take part. Your insights and discoveries can make a meaningful difference to the infrastructure that supports millions of users worldwide – Read more details about this program here.
Together, we can make Cardano’s open-source ecosystem stronger, safer, and more resilient for everyone.
