World increases bounties for enhanced Bug Bounty Program

Nov 04, 2024 2 Minute Read

World is fully committed to security. 

This commitment is why the network launched its first Bug Bounty Program in early 2024, managed by contributor Tools for Humanity (TFH). Since then, dozens of security reports have been resolved and tens of thousands have been paid out in bounties to researchers whose invaluable work helps ensure World remains secure as it scales around the globe.

Now, the security team at TFH is introducing several enhancements to further improve the Bug Bounty Program.

New reward structure

The World Bug Bounty Program reward structure is moving to a tiered model that prioritizes vulnerabilities in high-impact areas, to better align risks with researcher rewards.

This approach should help researchers focus their efforts on finding more bugs in critical assets, offering stronger incentives for more impactful findings. Here’s what’s new:

  • Assets will be classified into two categories—primary and secondary—based on their maturity and criticality (newly added assets will automatically be categorized as secondary assets).
  • The maximum reward amounts for all assets are increasing to $25,000 for primary assets and $10,000 for secondary assets.
  • The severity of vulnerabilities will be estimated using CVSS 4.0 to increase the precision of their assessments.  
Primary assetsSecondary assets
Critical$15,000 - $25,000$5,000 - $10,000
High$5,000 - $12,500$1,500 - $3,000
Medium$750 - $2,000$500 - $1,000
Low$100 - $500$100 - $300

Learn more about the classification of in-scope assets in the Bug Bounty Program policy

New features with updated scope

The scope of the Bug Bounty Program is expanding to encompass new features, including some announced during the 'A New World' event held in October in San Francisco. These include:

Mini Apps developed by TFH and the minikit-js package

Face Auth and World ID Credentials

New World Chain smart contracts, including WLD Vault

Treasure map

The security team at TFH is also kicking off a treasure map to help researchers better understand the assets in scope.

Information and assets will continually be added to the treasure map as the Bug Bounty Program and infrastructure evolve.

View the treasure map here.

Learn more and get started with the Bug Bounty Program

All valid, in-scope security reports are welcome, and the team places high value on well-researched, concise, professional reports trying to find deep bugs in the network’s systems.

Get started today by visiting the Bug Bounty Program page.

To learn more about privacy and security at World, visit the World website, read the Private by design whitepaper, watch the Privacy in the age of AI video series or talk with the team at the Ekoparty security conference in Buenos Aires from Nov 13-15, 2024. 

You can also join the daily conversations on Twitter/X, Telegram, Discord, YouTube and LinkedIn, or sign up for the blog newsletter at the bottom of this page. Additional important information concerning the project is available in the World protocol whitepaper.

Disclaimer

The above content speaks only as of the date indicated. Further, it is subject to risks, uncertainties and assumptions, and so may be incorrect and may change without notice. A full disclaimer can be found in our Terms of Use and Important User Information can be found on our Risks page.