Highlighting the RippleX Bug Bounty Program

Published in

RippleXDev

6 min readAug 6, 2024

At RippleX, our engineering team is dedicated to enhancing the rippled codebase, the cornerstone of the XRP Ledger. Our mission is to ensure that this codebase, crafted with contributions from developers globally, remains robust, secure, and ready to support the next generation of financial infrastructure.

Security plays a vital role throughout our development cycle. Over time, we have enhanced our software development and quality assurance procedures to emphasize accuracy and security. Our strategy involves automated testing, static analysis, collaborative code reviews, and thorough security evaluations performed by experts.

As we look ahead there are key integrations at the protocol level on the horizon, including Multi-Purpose Tokens (MPTs), Oracles, Decentralized Identifiers (DID), the Lending Protocol and much more. These new features will require meticulous quality assurance to ensure that the XRP Ledger remains secure and resilient against emerging threats.

In addition to our internal efforts, we recognize the invaluable contributions of independent security researchers. These experts help identify and address potential vulnerabilities, enhancing the overall security of the platform. To date, we have paid out nearly $1M in bug bounties to researchers who reported vulnerabilities in XRPL codebase.

RippleX Bug Bounty Program

As we continue to further our commitment to security, we want to underline the RippleX Bug Bounty Program. This program is now an extension to Ripple’s 1 Billion XRP commitment to provide financial, technical, security and business support. It plays a crucial role in safeguarding the core protocol development,ensuring the XRP Ledger remains secure and reliable.

In summary, in order to qualify for a bounty, the bug must be:

In scope: Only bugs in software under the scope of the program qualify. Currently, that means rippled, xrpl.js, xrpl-py, xrpl4j.
Relevant: A security issue, posing a danger to user funds, privacy, or the operation of the XRP Ledger.
Original and previously unknown: Bugs that are already known and discussed in public do not qualify. Previously reported bugs, even if publicly unknown, are not eligible.
Specific: We welcome general security advice or recommendations, but we cannot pay bounties for that.
Fixable: There has to be something we can do to permanently fix the problem. Note that bugs in other people’s software may still qualify in some cases. For example, if you find a bug in a library that we use which can compromise the security of software that is in scope and we can get it fixed, you may qualify for a bounty.
Unused: If you use the exploit to attack the XRP Ledger, you do not qualify for a bounty. If you report a vulnerability used in an ongoing or past attack and there is specific, concrete evidence that suggests you are the attacker, we reserve the right not to pay a bounty.

Rewards will vary based on the vulnerability’s severity and quality, with the final decision at the discretion of the RippleX team. Vulnerabilities that are harmless on their own but could form part of a critical exploit will usually receive a bounty. Full-blown exploits can receive much higher bounties.

A bounty will be awarded to anyone who reports a complete chain of vulnerabilities even if they have reported each component of the exploit separately and those vulnerabilities have been fixed in the meantime. However, to qualify for the full bounty, you must have been the first to report each of the partial exploits.

Responsible Investigation and Disclosure

We urge security researchers to examine the XRP Ledger code carefully and responsibly, and to disclose any issues that are identified in a responsible fashion. Responsible investigation includes, but isn’t limited to, the following:

Not performing tests on the main network. If testing is necessary, use the Testnet or Devnet.
Not targeting physical security measures, or attempting to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
Investigating bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to the XRP Ledger and the broader ecosystem.

If a vulnerability or potential threat is discovered, please reach out by dropping an email using the contact information outlined below. Your report should include:

Your contact information (typically, an email address);
The description of the vulnerability;
The attack scenario (if any);
The steps to reproduce the vulnerability;
Any other relevant details or artifacts, including code, scripts, or patches.

In the email, please describe the issue or potential threat. If possible, include a “repro” (code that can reproduce the issue) or describe the best way to reproduce and replicate the issue. Please make your report as detailed and comprehensive as possible.

Contacting Us

To report a qualifying bug, pleased send a detailed report to:

Email Address: bugs@Ripple.com

Short Key ID: 0xC57929BE

Long Key ID: 0xCD49A0AFC57929BE

Fingerprint: 24E6 3B02 37E0 FA9C 5E96 8974 CD49 A0AF C579 29BE

Full PGP Key: can be found here

Report Handling Process

Once a vulnerability report is received, it is independently evaluated by the RippleX team. If you want to prove that you knew the bug as of a given time, consider using a cryptographic precommitment: hash the content of your report and publish the hash on a medium of your choice (e.g. on Twitter or as a memo in a transaction) as “proof” that you had written the text at a given point in time.

Once we receive a report, we:

Assign two people to independently evaluate the report;
Consider their recommendations;
If action is necessary, formulate a plan to address the issue;
Prepare, test and release a version which fixes the issue; and
Announce the vulnerability publicly.

If action is necessary, we formulate a plan to address the issue, communicate privately with the reporter, prepare and test a fix, and announce the vulnerability publicly.

We will triage and strive to respond to your disclosure within 24 hours of the initial report with our triage assessment. While we commit to responding within 24 hours of your initial report with our triage assessment, we cannot guarantee a response time for the remaining steps. We will communicate with you throughout this process, letting you know where we are and keeping you updated on the timeframe.

Looking Ahead

As we continue to foster a collaborative security environment, we are excited to announce several upcoming events and opportunities that will help drive the future of the XRP Ledger:

Bug Bounty Live Hack: Watch this space for an exclusive live event hosted over 48 hours. The event will bring together the top bounty hunters and protocol researchers to identify and report vulnerabilities. This event will provide participants with a series of directives and test cases to identify and report vulnerabilities, with rewards distributed depending on the severity and impact of bugs identified.

Announcing and Rewarding Winners: We will be announcing the winners of our ongoing bug bounty program, celebrating the researchers who have made significant contributions to our security efforts. This recognition aims to highlight their achievements and encourage more researchers to participate.

Themed Challenges: To focus on specific protocols and enhance targeted security measures, we will be introducing themed challenges. These challenges will direct researchers’ efforts towards particular aspects of the platform, providing structured opportunities to test their skills and earn rewards.

Future Initiatives: We are continuously exploring new ways to engage with the security community. This includes potential collaborations, workshops, and webinars aimed at educating and empowering researchers to contribute effectively to the security of the XRP Ledger.

Together, through these initiatives and the ongoing efforts from the community, the XRP Ledger will remain secure and reliable. We look forward to your participation and thank you for your continued support in making the XRP Ledger safer for everyone.

Happy hunting!