Security is at the heart of all of our products at thirdweb. Ensuring the complete safety of our customers and products is always our top priority. We deeply appreciate the support of ethical hackers who help us maintain the highest standards of privacy and security for our users and technology. Below, we’ve outlined what constitutes responsible disclosure when identifying and reporting vulnerabilities, as well as what you can expect from us in return.

We offer a bug bounty program for vulnerabilities discovered across our platform. To qualify, submissions must include:

• Brief description of the issue and impact (who would be affected and what happens)
• Proof of concept demonstrating how the issue can be reproduced
• Proposed fix or resolution

Rewards

Up to $30,000 USD.

The reward depends on the severity of the finding and will be reviewed on a case by case basis. Vulnerability priority and reward may be modified based on likelihood or impact at thirdweb’s sole discretion. In cases of downgraded issues, researchers will receive a detailed explanation.

In Scope

• Deployed thirdweb contracts on mainnet (any chain)
  • Github repository: https://github.com/thirdweb-dev/contracts
• thirdweb product areas
  • thirdweb.com/*
  • portal.thirdweb.com/*
  • playground.thirdweb.com/*
• thirdweb APIs
  • api.thirdweb.com/*
  • pay.thirdweb.com/*
  • embedded-wallet.thirdweb.com/*
  • rpc.thirdweb.com/*
  • Any managed thirdweb Engine
• thirdweb SDKs
  • typescript
    • Github Repository: https://github.com/thirdweb-dev/js
      • included: packages/*, apps/*
  • Unity SDK
  • React Native SDK

Out of Scope

Anything not explicitly listed in the “in scope” section above is considered “out of scope”. If you believe you have found a vulnerability in a thirdweb operated property that is not listed above, please reach out to us to verify whether the property is in scope first.

Severity Classification