5 Bug Bounty Platforms in Web3 to Earn Money From

What Skills Do You Need for Web3 Bug Hunting

Bounty bug hunting is also called ethical hacking, or white hacking. Hackers identify vulnerabilities in web systems' code, logic, or structure. This helps improve security and prevent possible attacks, for which projects offer hackers rewards. Investing money in bounty programs helps projects fix weaknesses before malicious hackers can exploit them. The benefits of finding bugs go both ways. Besides earning money, bug bounties are a good option for blockchain developers to challenge and improve their skills. 

To start Web3 bug hunting, you need to have basic blockchain programming skills, an understanding of smart contracts, and a keen eye. According to DeFi Llama, among the most used blockchain programming languages in 2024 are Solidity, Rust, and Vyper. Mastering your skills, you can start the hunt. Participating in Web3 bug bounties is mostly free. Based on your knowledge, there are different bugs you can search for. Some are easy to find, and some take higher technical expertise. You can choose to commit to bug hunting full-time or choose a schedule that fits you. 

Before getting into hacking, you need to take into account that not in all cases you are rewarded. At times, you may spend time discovering and reporting a vulnerability to later find out it had been already reported. It takes excitement, persistence, analytical skills, and interest in brеaking systems to succeed in hacking for the long term. If you're interested in testing your bug-hunting skills, discover some platforms in the next section.

Web3 Bug Bounty Platforms to Check Out  

Bug bounty platforms connect projects with developers and auditors, serving as a common infrastructure. Companies also operate bug bounty programs through separate campaigns or initiatives. To increase your chances of finding projects you want to work on, you can check out both different individual initiatives or use platforms featuring multiple projects. Once you find a bug, you can report it following the rules provided by the program/platform. Below are 5 platforms to get rewards for finding vulnerabilities in Web3 systems.  

2. Immunefi

Immunefi homepage. Source: immunefi.com

Founded in 2020 and headquartered in Singapore, Immunefi is a leading bug bounty platform in Web3. According to the official website, Immunefi has already paid out more than $95 million in bounties, with over $162 million available for prizes to bug hunters through ongoing bounty programs. Companies, including LayerZero, Maker, Scroll, Optimism, and others currently offer bounties on the platform. In November 2023, the platform launched the White Hat Awards program, presenting award systems and perks for security researchers based on their earnings from bug reports.

2. HackenProof 

Bounty programs on HackenProof. Source: hackenproof.com

This platform is a part of the Hacken Ecosystem, a company offering a wide range of cybersecurity services. Hacken is headquartered in Kyiv, Ukraine, and Tallinn, Estonia. HackenProof has been operating since 2017. The platform currently lists ongoing bounty programs for Aptos, River Protocol, MetaMask, Polygon, NEAR, and others. In total, over 15,000 reports have been submitted on the platform and over $9 million has been paid to hackers.

3. Code4rena  

Code4rena statistics. Source: code4rena.com

The model of bug bounty programs on Code4rena differs from others in its structure. To provide fast security reviews, Code4rena separates different roles for participants. Auditors, named Wardens, identify flaws in a project and get paid. Sponsors define prize pools to compensate Wardens, Scouts determine the audit’s scope, Lookouts organize submissions and Judges assess the reports. Teams are gathered by Team Captains.  Code4rena was founded in 2021. There are over 8300 wardens registered on the platform and the number of unique findings exceeds 24,626. 

4. Remedy 

Cybersecurity products by Remedy. Source: r.xyz

Currently in its beta stage, Remedy is a cybersecurity platform founded by the blockchain auditing company Hexens in 2023. The platform presents a bug bounty board, a code query engine, called Glider, for deployed smart contracts to search, and zero-knowledge storage for checking duplicity and protecting reports' rights. Remedy’s bug bounty board enlists programs by Scroll, Layerswap, PancakeSwap, Metis, and other projects.

5. Sherlock  

Auditors leaderboard on Sherlock. Source: sherlock.xyz

On Sherlock, ethical hackers take part in bug bounty contests from different projects. The platform is built on the Ethereum blockchain and connects protocols with security experts. By finding errors, auditors earn rewards in the USDC stablecoin. Sherlock’s leaderboard ranks these auditors by their performance. Sherlock started in 2021 and has hosted 175 contests since then.

Conclusion

Web3 bug bounty platforms allow you to earn rewards by investing your time and skills to make the industry more secure. On each platform, you can find different projects and start working on the ones you want. Apart from Web3-focused bug bounty platforms, you can find Web3 programs on general platforms such as HackerOne and Intigriti.For both, experts and beginners, bounties represent options to solve security challenges as a side or full-time commitment.