Bug Bounty Program

The Energy Web Bug Bounty Program exists to incentivize and reward members of the community who identify and help resolve security vulnerabilities in the EW Chain, Utility Layer, EW-DOS toolkits, and auxiliary EW-related tools and infrastructure.

The scope of the program includes all public EW GitHub repositories and hosted applications (Switchboard, EWC Bridge, Key Manager). The primary areas of interest are:

  • Access/Identity vulnerabilitiesĀ 
  • Logical Errors
  • Exploitation - XSS, CSRF, SQL injection, SSL misconfigurations etc.
  • Smart Contract Errors
  • Cryptography Errors

The following are out of scope and excluded from the Bug Bounty program:

  • DNS, configuration, and hosting of the website
  • Any known vulnerabilities reported on third-party sites (e.g., Hackerone)
  • Any previously-reported vulnerabilities (those listed on this webpage)
  • Any vulnerability found using common open-source scanner tools ( e.g., or

Individuals or organizations who report and/or resolve bugs are eligible for rewards (EWT and public recognition) as follows:

  • Bugs are categorized at the sole discretion of the Energy Web Technical Committee using a risk assessment matrix based on impact and likelihood. The reward for a given bug is proportional to its severity; rewards are also higher for reporting a bug along with a recommended resolution than for reporting a bug alone.
  • Severity categories are defined as follows:
    • Low = vulnerabilities that may result in reduced functionality for certain users under specific conditions.
    • Moderate = vulnerabilities that will result in reduced functionality for all users under existing conditions.
    • High = vulnerabilities that may result in 1) loss or reduced access to EWT, private keys, or personally-identifiable information for some users under certain conditions, or 2) complete system failure for some users under certain conditions.
    • Critical = vulnerabilities that will result in irrevocable loss of EWT, private keys, or personally-identifiable information and/or complete system failure for all users under existing conditions.
  • To be eligible for the reward, a reporter must meet ALL of the following criteria:
    • Provide a description of the reproducible bug, including a script and/or detailed step-by-step instructions on how to expose the vulnerability, by completing this form. If also providing a resolution, they must include link and/or an invitation to the relevant private GitHub repository and/or related documentation.
    • Be the first person to report the issue (see list of known issues below)
    • Not disclose any details of the bug / vulnerability publicly.
    • Not be a paid auditor or contractor of EWF.
  • Upon receipt of a vulnerability report, the EW team will review the details and respond directly if the vulnerability is deemed to be credible and eligible for the program under the terms above. Due to the volume of reports, not all reports will receive a direct response.

Please contact bugbounty AT energyweb DOT org with any further questions, and thank you for your help strengthening the Energy Web community.



Date Resolved
Bug Name
User Name
User Twitter
User Github
April 27, 2021
EWC Explorer Database Vulnerability
Source code, configuration files, and database information / credentials (admin key) are exposed in An attacker could use this information to disable the explorer site, get cookies of accounts pushed to the server, and create artificial / false transactions in the explorer database (not EWC itself). To resolve, update the database admin keys and remove this information from source code.
The Energy Web is accelerating a low-carbon, customer-centric electricity system by unleashing the potential of open-source, decentralized, digital technologies.

Latest Tweets

Announcing our next speaker at Energy Innovation Days #EID21... @orioldevall of ... @energywebx on #blockchain and the #EnergyTransition. Get your free ticket now! #energy #innovation #eoninnovation

We need more of this: major power grid regulators like @californiapuc laying out... a clear roadmap to embrace and more fully tap the potential of decentralized energy technologies.

As we @energywebx keep building and introducing new tech to support the ... #EnergyTransition, we now better understand how to integrate with and create practical integration pathways for existing IT systems that electric grid operators, utilities, etc. use.

Our own @DougJMillerJr takes a fresh look at our work adding ... #blockchain-enhanced functionality to one of the world's largest #renewableenergy certificate (REC) tracking systems, with PJM-EIS, part of @pjminterconnect.

Innovation in #Digitalization and #blockchain for the #energy sector continues ... in South America, with the latest news coming out of Chile [in Spanish]:

Subscribe to our email newsletter today to receive updates.