Programs Solana Infrastructure Jito Network
Immunefi intake · Active $5,000 flat · critical Everything Jito runs · open scope

Jito Network (jito.network) Bug Bounty: $5,000 USD Equiv. · Each Proven Critical

Jito stewards validators, bundles, restaking primitives, relays, infra, and SPL programs — collectively the whole stack is bounty surface with no artificial allow-list exclusions. Payments route through Immunefi intake; settle per program rules (JTO conversion per foundation policy). Earn $5,000 (USD denomination) for every validated critical where you disclose a lucid attacker chain plus objective confirmation the exploit succeeds (ledger proofs, scripted repro, verifier logs — not hypothetical prose). For reference + submission UI see jito.network.

BountyHunter Editorial

Security Research Desk

Published
Reading time9 min
IntakeImmunefi · Jito
Start Hunting View Scope
Critical payout $5,000 USD denom · per validated report
Scope Full all Jito-controlled systems
Proof bar Chain + PoC kill chain + successful exploit
PoC & KYC Required Immunefi policy
Settlement JTO per foundation / Immunefi
01 — Overview

Stack-wide bounty under Immunefi

Jito ships the Jito-Solana validator fork, bundles, relayer ingress, tip economics, restaking / vault contracts, tools that operators download, infra they host, dashboards, alerting, forks of upstream Solana where Jito merges fixes — hunters treat that entire footprint as bounty territory with no secondary exclusion appendix beyond universally illegal misconduct. File through Immunefi › Jito per foundation workflow.

Money rule here: each accepted critical documented with a reproducible exploitation story pays $5,000 (USD denomination; settlement rails follow Immunefi / foundation policy, historically JTO). Non-critical chatter may ride along for remediation credit but not this stipend.

Immunefi still adjudicates paperwork (PoC mandates, duplicates, embargo, payouts) — align attachments with Immunefi UX, but bounty philosophy on this microsite stays: full scope · $5K/critical · kill chain · proven successful attack artifacts.
02 — Why this matters

Why focus on Jito?

Consensus-path code paths

Jito patches sit close to consensus and block production — nuanced bugs ripple through stakers & solana-validators fleet-wide.

$5k per proven critical only

Ignore legacy tier noise here — only documented critical chains with exploits that land earn the posted flat grant.

JTO-denom payouts

Immunefi still governs payout mechanics — expect JTO rails + KYC gates when money moves.

Restaking frontier

New NCN/restaking primitives mean fresh smart-contract attack surface atop battle-tested SPL patterns.

03 — Reward

$5,000 USD equivalent per validated critical

This playbook intentionally collapses ladders: hunters ship end-to-end critical exploitation with both a written chain and undeniable proof-of-success; each cleared ticket pays $5,000. Operational settlement still follows Immunefi + foundation procedures (typically JTO conversion & KYC). Anything below critical severity may fuel fixes but not unlock this bounty line.

Critical $5,000 USD ea.

Unrecoverable staking / treasury loss, indefinite consensus stall attributable to shipped Jito binaries, remote execution path owning block production or forging authorized program transitions.

  • Validator client / relay combo leading to repeatable fund exfiltration or consensus halt
  • Smart-contract escrow break draining NCN-linked vault receipts
  • Interceptor / stake-pool bridging flaw enabling laundering across socialized liquidity
Immunefi insists on proofs — match that bar with observable exploit success mirrored from their reproducibility checklist plus this site’s mandated kill-chain dossier.
04 — Scope map

Reference inventory (everything Jito-linked stays eligible)

Listed rows are breadcrumbs — omission does not mean “hands off.” Engineers may spin new repos nightly; bounty scope expands with them unless Jito disclaims ownership elsewhere (very rare).

Surface Class Critical bounty
Jito-Solana validator, block engines Chain $5,000 / validated critical
Relayer QUIC edge, infra automation Network $5,000 / validated critical
Tip routers, SPL programs, restaking + vault stacks Programs $5,000 / validated critical
Interceptor, dashboards, alerting, binaries Platform $5,000 / validated critical
Cross-check authoritative repo pointers on Immunefi · Scope → Assets — counts grow; treat Immunefi enumeration as infra truth for SHA pinning.
05 — Scope doctrine

No bounty carve-outs besides legality/ethics

Researchers may pursue any Jito-owned or Jito-maintained digital surface reachable without breaking law — including infra misconfigs, QUIC parsing, CI secrets when exposed through their stack, internal dashboards, forks of upstream crates they vendor, ephemeral test clusters, tooling scripts, WASM blobs in their repos, telemetry SDKs bundled with installers.

  • Unpublished integration sandboxes mirrored for partners
  • Hardening experiments / feature flags flipped in staging binaries
  • Supply-chain artefacts distributed through Jito code-sign pipelines
Civil floor: crime, ransomware, harming random third parties unrelated to bounty scope, sabotage unrelated networks — still barred even under “maximum scope.”
06 — Rules

Rules of engagement

  1. Submit through Immunefi (private queue, embargo tiers, evidence uploads). Reference Programs → Jito.
  2. Show the attack chain end-to-end: assumptions → primitives → amplification → decisive harm.
  3. Demonstrate exploitation success. Transaction traces, scripted harness, PCAP + repro binary, deterministic fork snapshot — Immunefi adjudicators refuse “maybe” exploits.
  4. Honor duplicate primacy: first verified chain earns $5K grant; merges close gracefully.
  5. Operational kindness: coordinate if mass validator disruption is plausible — catastrophic tests belong in clones unless Immunefi liaison green-lights narrower canaries.
07 — Submit

How to submit a report

Compose inside Immunefi’s secure reporter. Embed the dossier skeleton below verbatim to align triagers with this playbook + their internal grading.

Report dossier skeleton 
# Immunefi headline
[Critical][Exploit Demonstrated]

# Canonical asset URL(s) & immutable commit hashes

## Kill chain narration (numbered, zero gaps between steps)
… include QUIC / protobuf / BPF / RPC specifics as applicable …

## Successful exploitation evidence
• Final exploiter transaction(s) + slot context OR deterministic localnet clone evidence
• Raw logs with instruction indices + account metas
• Exploit repo tag + `docker compose` or `nix develop` entrypoint

## Regression / blast radius note
Quantify potential fund loss or consensus stall using latest TVL / stake figures

## Legal / coordination
Disclose any prior communications with core devs; confirm no public leak yet
No theory tickets: Without the successful attack appendices, expect auto-hold — triage will not advance payout even if prose is elegant.
08 — Example

Rust vignette · must marry to successful exploit replay

Skeleton code only counts when paired with a runnable harness Immunefi validators can replay to watch funds move or validators panic — nothing less clears the bounty bar.

Rust sketch · voucher mint 
// Illustrative rounding bug enabling over-mint
pub fn issue_voucher(pool: &mut Pool, qty: u64) {
    // BUG: multiplying then dividing without wide intermediate type
    let shares = (qty.checked_mul(pool.share_ratio).unwrap()) / 1_000; // still wrong if truncation loses dust
    pool.mint_to_user(shares);
}
09 — FAQ

Frequently asked questions

Is there a shrunken asset allow-list?

No carve-outs for “non-core” infra — stake everything Jito can patch/coordinate remediation on.
Use Immunefi scoped-repo links for pinning SHAs.

Will Medium issues still pay $5,000?

Under this guide: only critical exploits with reproducible attacker success earn the stipend.

Where do payouts flow?

Immunefi + Jito settlement rails (typically JTO), following their published disbursement timelines after KYC & fix verification.

Documentation-only bugs?

Nice for docs, worthless for payout — escalate until you reproduce genuine exploit success artifacts.

Duplicates?

First reporter with reproducible exploitation evidence wins treasury; Immunefi adjudicates overlaps.

Prove the exploit → Collect $5,000

Full Jito footprint · Immunefi rails · Mandatory attack chain dossier.

Immunefi Program Visit Jito Network