Bug Bounty Program

The Energy Web Bug Bounty Program exists to incentivize and reward members of the community who identify and help resolve security vulnerabilities in the EW Chain, Utility Layer, EW-DOS toolkits, and auxiliary EW-related tools and infrastructure.

The scope of the program includes all public EW GitHub repositories and hosted applications (Switchboard, EWC Bridge, Key Manager). The primary areas of interest are:

  • Access/Identity vulnerabilitiesĀ 
  • Logical Errors
  • Exploitation - XSS, CSRF, SQL injection, SSL misconfigurations etc.
  • Smart Contract Errors
  • Cryptography Errors

The following are out of scope and excluded from the Bug Bounty program:

  • DNS, configuration, and hosting of the website
  • Any known vulnerabilities reported on third-party sites (e.g., Hackerone)
  • Any previously-reported vulnerabilities (those listed on this webpage)
  • Any vulnerability found using common open-source scanner tools ( e.g., or

Individuals or organizations who report and/or resolve bugs are eligible for rewards (EWT and public recognition) as follows:

  • Bugs are categorized at the sole discretion of the Energy Web Technical Committee using a risk assessment matrix based on impact and likelihood. The reward for a given bug is proportional to its severity; rewards are also higher for reporting a bug along with a recommended resolution than for reporting a bug alone.
  • Severity categories are defined as follows:
    • Low = vulnerabilities that may result in reduced functionality for certain users under specific conditions.
    • Moderate = vulnerabilities that will result in reduced functionality for all users under existing conditions.
    • High = vulnerabilities that may result in 1) loss or reduced access to EWT, private keys, or personally-identifiable information for some users under certain conditions, or 2) complete system failure for some users under certain conditions.
    • Critical = vulnerabilities that will result in irrevocable loss of EWT, private keys, or personally-identifiable information and/or complete system failure for all users under existing conditions.
  • To be eligible for the reward, a reporter must meet ALL of the following criteria:
    • Provide a description of the reproducible bug, including a script and/or detailed step-by-step instructions on how to expose the vulnerability, to bugbounty AT energyweb DOT org.
      • The reporter must include a high-level summary, detailed attack / failure scenario, proposed impact / likelihood. Reporters must show the impact of the vulnerability - in other words what harm potentially could they do with the retrieved information. Sometimes, vulnerabilities indeed seem critical but could not be exploited in a harmful way, (e.g. disclosed server root password seems critical however only if that server is accessible from the internet).
      • If also providing a resolution, they must include an invitation to the relevant private GitHub repository and/or related documentation.
      • The reporter must also provide an address for the EWT bounty reward.
    • Be the first person to report the issue (see list of known issues below)
    • Not disclose any details of the bug / vulnerability publicly.
    • Not be a paid auditor or contractor of EWF.
  • To be eligible for an EWT and/or public recognition reward, the reporter must also provide their legal name; email address; copy of a government-issued identification document showing full name, nationality, and country of residency; and a photo of themselves holding their government-issued identification document along with a note depicting their legal name, the date of the report, and Energy Web Chain address.
    • This information will be used exclusively to perform KYC/AML verification under the terms of Energy Web privacy policy.
  • Upon receipt of a vulnerability report, the EW team will review the details and respond directly if the vulnerability is deemed to be credible and eligible for the program under the terms above. Due to the volume of reports, not all reports will receive a direct response.

Please contact bugbounty AT energyweb DOT org with any further questions, and thank you for your help strengthening the Energy Web community.



Date Resolved
Bug Name
User Name
User Twitter
User Github
April 27, 2021
EWC Explorer Database Vulnerability
Source code, configuration files, and database information / credentials (admin key) are exposed in An attacker could use this information to disable the explorer site, get cookies of accounts pushed to the server, and create artificial / false transactions in the explorer database (not EWC itself). To resolve, update the database admin keys and remove this information from source code.
The Energy Web is accelerating a low-carbon, customer-centric electricity system by unleashing the potential of open-source, decentralized, digital technologies.

Latest Tweets

I'm happy to represent the @energywebx at the ... conference on June 7. Join me at 13:30 CEST to discuss how we can achieve the United Nations (UN) Sustainable Developments Goals (SDG)

Excited to see @ArgoBlockchain and @dmgblockchain join the @CryptoClimAcc as ... signatories and spearhead a 'green hash rate' solution. The movement to #makecryptogreen is accelerating, via @CoinDesk.

This week's @Tesla $BTC announcement is bigger than #crypto and bigger than ... #electricvehicles, because it's about BOTH. With $EWT, the #EnergyWeb tech stack, and the @CryptoClimAcc, we can #makecryptogreen while decarbonizing the global energy sector. You in, @elonmusk?

Congratulations to longtime #EnergyWeb member and California utility @PGE4Me for... being named to the @SEPAPower Utility Transformation Leaderboard, recognizing progressive, cutting-edge utilities accelerating a clean, modern, digital grid.

Subscribe to our email newsletter today to receive updates.