Programs Solana Ecosystem Jupiter (jup.ag)
Active Program $5,000 flat · validated critical Full Jupiter surface · no exclusions

Jupiter (jup.ag) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

This program treats every Jupiter-controlled asset as in-scope: on-chain programs, APIs, web/mobile clients, infra, tooling, forks you can prove Jupiter maintains — there is no secondary “allow-list-only” carve-out list here. For each critical flaw the team validates, hunters earn exactly $5,000 USDC. Acceptance requires a narrative attack chain (step‑by‑step from entry to harm) plus credible proof of a successful exploitation: signatures/logs, scripted replayable PoC, or equivalent evidence that demonstrates the exploit actually achieves impact — not screenshots of theory alone.

BountyHunter Editorial

Security Research Desk

Published
Reading time8 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 each validated report
Avg. Triage ~24h first response time
Reports Resolved 10+ since launch
Scope everything Jupiter-operates · no exclusions
Proof bar Chain + PoC kill chain narrative + attack succeeds
01 — Overview

A new chapter for Solana DeFi security

Jupiter is the most-used decentralized exchange (DEX) aggregator on Solana, routing massive swap volume through many liquidity integrations. This bounty model is blunt: hunters map the widest possible perimeter, disclose fully, and compete on end-to-end critical exploitation quality — each confirmed critical pays $5,000.

Eligible surface: every smart contract Jupiter authors, aggregator & supporting programs, frontend & background workers, signer flows, quoting & routing infra, wallets / SDK wrappers maintained by Jupiter, partner-hosted Jupiter plugins when Jupiter controls patches, release pipelines, binaries, dashboards, bots, caches, build servers, telemetry collectors, staging & research environments mirrored for repro, CI secrets only if surfaced through their stack — if Jupiter can patch it or owns accountability, hunters can chase it until triage rejects it.
Excluded only by necessity: crimes (extortion, user harassment), harming unrelated third‑party infra you do not legitimately audit, spam without signal. Those are societal/legal limits — not narrower “business scope” exclusions.

Minimum evidence bar — non-negotiable:
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact  2️⃣ Proof the attack succeeds (replayable txs, fixture logs, video with signatures, scripted harness). Narratives without a working exploitation path are graded below payout threshold.
02 — Why this matters

Why hunt Jupiter?

Single flat critical wage

$5,000 USD per validated critical. No juggling opaque Medium/High tables under this playbook.

Real, fast payouts

USDC on Solana settles fast once your attack chain + successful PoC clear validation.

No fake “narrow scope” fences

Infra churn & rare components stay fair game as long as Jupiter controls remediation.

Recognition

Demonstrated criticals with reproducible exploits float to disclosure credit & halls of fame.

03 — Reward

$5,000 per validated critical

There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USDC each. Non-critical novelty might receive coordination credit or internal tracking, but not this cash line — focus ruthlessly on chain-ending impact. Every paid report must simultaneously ship (a) attacker-language kill chain narration and (b) objective proof that the exploit path succeeded (see submission template fields).

Critical $5,000 USDC ea.

Privileged loss of user/agency funds at scale; persistent protocol confiscation/destruction equivalent to consensus failure for Jupiter-hosted trust boundaries.

  • Unauthorized mint/movement of vaulted user assets affecting live clusters
  • Confidential signer / KMS flow break leading to repeatable theft
  • Aggregator authority bypass netting irreversible draining sequence
Operational truth: If you can't yet prove the exploitation lands, iterate locally until transactions / logs objectively show attacker success — triage rejects “would/might happen” drafts.
04 — Scope inventory

Illustrative map (non-exhaustive)

These rows do not impose limits — they're convenient handles for writing reports. Anything Jupiter fingerprints as theirs is bounty terrain even if omitted below. Treat “not listed” ≠ “out-of-scope”: default stance is open scope.

Surface Class Critical payout
*.jup.ag, mobile apps & dapps End-user $5,000 / validated bug
Aggregator + limit/other on-chain Jupiter programs Contracts $5,000 / validated bug
Quote/pricing/RPC gateways & middleware Jupiter serves Infra/API $5,000 / validated bug
Build systems, infra DNS, alerting, dashboards, insider CI when Jupiter-maintained Platform $5,000 / validated bug
05 — Scope policy

Everything Jupiter operates — no exclusions list

This program intentionally rejects shrunken allow-lists. If Jupiter can remediate via code/config/process ownership, hunters may test it for critical-impact chains without hunting for somebody else’s carve-out appendix.

  • All production + staging nets Jupiter labels theirs (including ephemeral QA)
  • Open-source/private repos patched by Jupiter engineers
  • Vendor SaaS knobs they administrate where breach routes through Jupiter SSO
  • Third-party WASM modules Jupiter ships signed inside their UX
  • Partner plugins only when Jupiter merges fixes (coordinate disclosure if counterpart needs PR)
Legal floor (not scope shrinkage): harassment, ransomware, harming arbitrary non-Jupiter users’ funds without coordination, laundering, or exploiting unrelated companies remains off-limits by law/ethics despite “wide scope.” Stick to sanctioned security research etiquette.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Dry essays fail. Ship artifacts that independently reproduce attacker victory (ledger state diff, scripted CLI, deterministic fuzz loop, reproducible txs).
  2. Articulate kill chain granularity. Number each hop across trust boundaries → crypto → economic effect; reviewers must reconstruct without guessing.
  3. Responsible blast radius documentation. Quantify hypothetical user capital exposure even if exercised only on forks/sandboxes aligned with Jupiter reality.
  4. Encrypt & ship privately. Use sanctioned intake (security mail / advisories — see submit section) prior to tweeting exploits.
  5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on equal severity collisions.
07 — Submit

How to submit a report

Transmit through security@jup.ag / private GitHub advisory per Jupiter’s rotating guidance. Mandatory sections:

Report Template 
# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — impact in one paragraph

# Severity self-classification → must map to Jupiter critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions / wallets / configs
2. Entry primitive (specific line / pubkey / REST path)
3. Pivot(s) chaining trust escalation
4. … final hop → theft / outage / irrevocable misuse

## Successful exploitation evidence (attach proofs)
• Transaction signatures (mainnet-canary acceptable if sanctioned; else IDENTICAL cloned-state fork)
• Ledger slot + program logs excerpts
• Hash of exploit repo tag + Dockerfile one-liners
• Or screen capture with signed CLI transcript + deterministic seeds

## Reproduction package
Commands + fixture download links + pinned commit SHAs


## Disclosure ack
Responsible channel only until Jupiter clears publication date
Gating reminder: Missing kill chain granularity or lacking demonstrable exploitation success bumps the intake into “needs rework” — no payout until solved.
08 — Example

Rust sketch (must pair with reproducible exploitation)

Below code is insufficient alone — pair it with a harness proving transactions land in a fork mirroring Jupiter program layout.

Rust · Anchor PoC 
// PoC: missing authority check on `withdraw_fees`
use anchor_lang::prelude::*;

#[program]
pub mod vulnerable_program {
    use super::*;

    pub fn withdraw_fees(ctx: Context<WithdrawFees>) -> Result<()> {
        // BUG: no `has_one = authority` constraint below — anyone can call.
        let vault = &ctx.accounts.vault;
        let recipient = &ctx.accounts.recipient;

        **recipient.try_borrow_mut_lamports()? += vault.to_account_info().lamports();
        **vault.to_account_info().try_borrow_mut_lamports()? = 0;
        Ok(())
    }
}

#[derive(Accounts)]
pub struct WithdrawFees<'info> {
    #[account(mut)]
    pub vault: Account<'info, Vault>,
    #[account(mut)]
    pub recipient: Signer<'info>,
    // FIX: add `pub authority: Signer<'info>,` and `has_one = authority` above.
}
09 — FAQ

Frequently asked questions

Is anything actually “out of scope” besides illegal stuff?

No discretionary product carve-outs — only universal legal/ethical lines (crime, harming unrelated civilians, ransomware, etc.). If Jupiter patches it or answers for it technically, testers can escalate until triage disqualifies specifics.

Do speculative write-ups without a working exploit get paid?

No. $5K critical payouts require both a complete kill-chain narrative and evidence of a successful attack path (replayable artifacts). Theory-only stays in triage backlog without compensation.

Are staging / dev nets fair game?

Yes whenever Jupiter labels or operates them.
Demonstrate realism by mirroring configs/data where possible.

Duplicates?

Fastest validated chain + reproducible exploitation wins treasury; follower tickets close acknowledged only.

Lower severities rewarded?

Not under this $5K-flat critical playbook — escalate impact until it meets critical thresholds or accept non-monetary acknowledgement.

Critical chain + working exploit = $5,000

No narrow scope appendix — document the attack, prove it lands, file privately.

Submit a Report Read the Scope