World is fully committed to security.
This commitment is why the network launched its first Bug Bounty Program in early 2024, managed by contributor Tools for Humanity (TFH). Since then, dozens of security reports have been resolved and tens of thousands have been paid out in bounties to researchers whose invaluable work helps ensure World remains secure as it scales around the globe.
Now, the security team at TFH is introducing several enhancements to further improve the Bug Bounty Program.
New reward structure
The World Bug Bounty Program reward structure is moving to a tiered model that prioritizes vulnerabilities in high-impact areas, to better align risks with researcher rewards.
This approach should help researchers focus their efforts on finding more bugs in critical assets, offering stronger incentives for more impactful findings. Here’s what’s new:
- Assets will be classified into two categories—primary and secondary—based on their maturity and criticality (newly added assets will automatically be categorized as secondary assets).
- The maximum reward amounts for all assets are increasing to $25,000 for primary assets and $10,000 for secondary assets.
- The severity of vulnerabilities will be estimated using CVSS 4.0 to increase the precision of their assessments.
Primary assets | Secondary assets | |
---|---|---|
Critical | $15,000 - $25,000 | $5,000 - $10,000 |
High | $5,000 - $12,500 | $1,500 - $3,000 |
Medium | $750 - $2,000 | $500 - $1,000 |
Low | $100 - $500 | $100 - $300 |
Learn more about the classification of in-scope assets in the Bug Bounty Program policy.
New features with updated scope
The scope of the Bug Bounty Program is expanding to encompass new features, including some announced during the 'A New World' event held in October in San Francisco. These include:
Mini Apps developed by TFH and the minikit-js package
- Description: Mini Apps allow developers to build web applications that provide a native-like experience directly within the new World App.
- Scope: *.studios.toolsforhumanity.com, vote.one, https://github.com/worldcoin/minikit-js
- Documentation: https://docs.world.org/mini-apps
Face Auth and World ID Credentials
- Description: Face Auth is a powerful new way to help combat online fraud and enable new tools like Deep Face, and World ID Credentials provides even greater privacy-preserving control over digital identity forms like NFC-enabled passports.
- Scope: World App, nfc.crypto.worldcoin.org
- Documentation: https://support.worldcoin.com/hc/en-us/articles/31589092274195-What-is-Face-Authentication-and-how-does-it-work
New World Chain smart contracts, including WLD Vault
- Description: With the launch of World Chain, some of the World smart contracts have been migrated to this blockchain as well as some new contracts have been created.
- Scope: Contracts listed under
- Documentation: https://docs.world.org/world-chain/reference/address-book
Treasure map
The security team at TFH is also kicking off a treasure map to help researchers better understand the assets in scope.
Information and assets will continually be added to the treasure map as the Bug Bounty Program and infrastructure evolve.
View the treasure map here.
Learn more and get started with the Bug Bounty Program
All valid, in-scope security reports are welcome, and the team places high value on well-researched, concise, professional reports trying to find deep bugs in the network’s systems.
Get started today by visiting the Bug Bounty Program page.
To learn more about privacy and security at World, visit the World website, read the Private by design whitepaper, watch the Privacy in the age of AI video series or talk with the team at the Ekoparty security conference in Buenos Aires from Nov 13-15, 2024.
You can also join the daily conversations on Twitter/X, Telegram, Discord, YouTube and LinkedIn, or sign up for the blog newsletter at the bottom of this page. Additional important information concerning the project is available in the World protocol whitepaper.
Disclaimer
The above content speaks only as of the date indicated. Further, it is subject to risks, uncertainties and assumptions, and so may be incorrect and may change without notice. A full disclaimer can be found in our Terms of Use and Important User Information can be found on our Risks page.