alchemy-web
Total reward
$10,000
No deposit required
Findings submitted
244
Start date
7 Oct 2025
Please sign in as a researcher to join the bounty.
Log inWelcome to Alchemy’s Bug Bounty! We invite researchers and developers to help us strengthen our Web3+Web2 ecosystem by identifying bugs and vulnerabilities across our stack. The scope includes our frontend applications, backend APIs, websites, and SDKs. Whether it’s a glitch, an exploit, or a hidden vulnerability, your discoveries will help protect our users and ensure the future of blockchain remains secure.
Scope
We invite researchers and developers to help us strengthen our Web3+Web2 ecosystem
In Scope Targets
- Web Interface / Application:
- All public-facing APIs related to:
- *alchemy.com
- *alchemyapi.io
- All public-facing APIs related to:
- Other In-Scope Assets:
- Specifically, Smart Wallets SDK on the main branch/release
- https://github.com/alchemyplatform/rundler
- Findings discovered in other Alchemyplatform repos up to discretion
If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
- Third-Party Dependencies
- Vulnerabilities in the blockchain itself
- Issues in third-party libraries or dependencies not developed or maintained by Alchemy
- Please check out our other programs if you’re interested in submitting vulnerabilities on Alchemy’s Smart contracts!
- Non-Technical Issues
- UI/UX issues that do not impact security
- Documentation errors or inconsistencies
- Accessible Non-sensitive files and directories (e.g., README.TXT, CHANGES.TXT, robots.txt, .gitignore, WSDL, pprof, etc.)
- Clickjacking and issues are only exploitable through clickjacking
Default Out of Scope:
- Please refer to the docs for default out of scope guidelines
Prohibited Actions
- Social engineering (e.g., phishing, vishing, smishing) is prohibited.
- Denial of Service attacks
- Email spoofing not using direct Alchemy solutions due to system vulnerabilities
- Live testing on public chains, including public mainnet deployments and public testnet deployments, is prohibited.
- We recommend testing on local forks, for example, using Foundry.
- Privacy violations, destruction of data, and actions that cause interruption or degradation of our services are prohibited. Only interact with accounts you own or with the explicit permission of the account holder.
- Public disclosure of bugs without the written consent of the Alchemy team is prohibited.
- No Conflicts of Interest. Any individual who is or has ever been employed by Alchemy (or their immediate family & cohabitants), or who is or has ever been a contractor of Alchemy, may not participate in the Bug Bounty. Additionally, any individual who has been involved in or contributed to the development of the code of the bug in question (or their family) may not participate in the Bug Bounty.
Eligibility
- You must discover a previously-unreported, non-public vulnerability that is not previously known by the Alchemy team and is within the scope of this bug bounty program (the “Program”).
- You must provide all KYC and other documents as requested.
- You must be the first to disclose the unique vulnerability, in compliance with the disclosure requirements. A vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program is not eligible for a reward.
- You must provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
- You cannot exploit the vulnerability in any way, including by making it public or by obtaining a profit (other than a reward under this Program).
- You cannot publicize or exploit a vulnerability in any way other than through private reporting to us.
- You must refrain from any privacy violations, destruction of data, interruption, or degradation of any of the assets or systems in scope.
- You cannot engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- You must be at least 18 years old at the time of submission.
- You cannot reside in a country under (or otherwise be subject to) any trade or economic sanctions by the United States Treasury’s Office of Foreign Assets Control or other applicable sanctions laws, or where the laws of the United States or local law prohibit participation. You cannot be one of our current or former employees (or their family member), or a vendor or contractor who has been involved in the development of the code of the bug in question.
- You must comply with all the rules of the Program, including but not limited to refraining from engaging in any Prohibited Actions.
Disclosure Requirements
- Impact - detail the potential risk of vulnerability and implications if exploited
- Description - overview of vulnerability and occurrence details
- Detailed reproduction steps
- Evidence/screenshots
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Severity and Rewards
Vulnerabilities are classified using two key factors: Impact and Likelihood. The combination of these factors determines the severity and guides the amount of the reward.
Risk Classification Matrix
| Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|---|
| Likelihood: High | Critical | High | Medium | Low |
| Likelihood: Medium | High | High | Medium | Low |
| Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Leads to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Causes notable financial loss or significantly harms user trust, but on a lesser scale than Critical.
- Medium: Results in limited financial damage or moderate system impact.
- Low/Informational: Minimal direct risk but may indicate areas for improvement.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires very specific conditions.
Payout Guidelines
| Severity | Payout Range |
|---|---|
| Critical | Up to $10,000+ |
| High | Up to $5,000-10,000 |
| Medium | Up to $1,000-5,000 |
| Low | Discretionary |
Note: Actual reward amounts are determined at Alchemy’s sole discretion. Factors influencing payout include the quality of the report, completeness, and the severity and exploitability of the vulnerability.
Other Terms: By submitting your report, you grant Alchemy all rights, including intellectual property rights, necessary to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at Alchemy’s sole discretion. The terms and conditions of this Program may be amended, and the Program may be terminated at any time.