Programs Solana Ecosystem Jupiter (jup.ag)
Active Program Up to  $5,000  for Critical Solana / DeFi

Jupiter (jup.ag) Bug Bounty: Earn Up to $5,000 for Critical Vulnerabilities

The largest decentralized exchange aggregator on Solana has opened an active bug bounty for security researchers. Find a critical vulnerability in Jupiter's contracts, infrastructure, or front-end and walk away with up to $5,000 USDC.

BountyHunter Editorial

Security Research Desk

Published
Reading time8 min
StatusLive · Accepting reports
Start Hunting View Scope
Max Reward $5,000 per critical finding
Avg. Triage ~24h first response time
Reports Resolved 10+ since launch
Total Paid Out $36,100 to researchers
Acceptance 18% signal quality 77%
01 — Overview

A new chapter for Solana DeFi security

Jupiter is the most-used decentralized exchange (DEX) aggregator on Solana, routing billions of dollars in monthly swap volume across dozens of liquidity sources. With that scale comes responsibility — and Jupiter's team has reaffirmed its commitment to security by running an active bug bounty program through jup.ag/security.

Researchers who responsibly disclose critical vulnerabilities can earn up to $5,000 USDC per accepted report, paid out directly on-chain. Lower-severity findings are still rewarded along a tiered scale, and the team aims to triage all submissions within roughly 24 hours.

Heads up: Bounty amounts and scope are determined at the sole discretion of Jupiter's security team. Always confirm scope on jup.ag/security before testing.
02 — Why this matters

Why hunt Jupiter?

Massive surface area

Smart contracts, RFQ system, swap UI, perps, lending, and a public API. There's plenty to look at.

Real, fast payouts

USDC bounties on Solana settle in seconds. No waiting weeks for a wire transfer.

Safe Harbor

Good-faith research conducted within scope is protected — no legal action for ethical hunters.

Recognition

Top researchers get a permanent slot on Jupiter's hall of fame and a verified disclosure.

03 — Reward Tiers

How much can you earn?

Bounties scale with impact, not effort. The Jupiter team uses a modified Immunefi severity classification to grade each accepted finding.

Critical $5,000

Direct loss of user funds, unauthorized minting, or full protocol takeover.

  • Drain of vault or treasury
  • Bypass of authority checks
  • Cross-program reentrancy with fund loss
High $2,500

Theft of yield, fee manipulation, or temporary freezing of funds.

  • Manipulation of routing for sandwich attacks
  • Unauthorized fee collection
  • Front-end XSS leading to wallet drain
Medium $1,000

Limited DoS, unauthorized data access, or non-fund-loss logic bugs.

  • Bypassing slippage guard rails
  • Server-side info disclosure
  • Limited account-based DoS
Low $250

Best-practice issues with limited real-world exploitation paths.

  • Missing rate-limits on public endpoints
  • Stale dependencies w/ known CVEs
  • Minor UI spoofing
04 — Scope

In-scope assets

Asset Type Severity Cap
jup.ag & subdomains Web Critical · $5,000
JUP6L...sNYj Aggregator Program Smart Contract Critical · $5,000
Limit Order v2 Program Smart Contract Critical · $5,000
quote-api.jup.ag Public API High · $2,500
price.jup.ag Public API High · $2,500
Mobile clients (iOS / Android) Application High · $2,500
05 — Out of Scope

What is not rewarded

  • Findings on testnet, devnet, or staging environments
  • Theoretical issues without a working proof-of-concept
  • Vulnerabilities in third-party integrations not maintained by Jupiter
  • Spam, social-engineering, or phishing of Jupiter team members
  • Any active exploitation of mainnet contracts (use a fork instead)
  • Self-XSS, clickjacking on non-sensitive pages, missing CSP headers without impact
  • Automated scanner output without manual validation
06 — Rules

Rules of engagement

  1. Test responsibly. Use your own wallets and test funds. Never touch other users' assets.
  2. No mainnet exploitation. Reproduce findings on a local validator or mainnet fork. Demonstrating impact ≠ profiting from it.
  3. Report privately. Submit through the official channel below — never in a public GitHub issue, Discord, or Twitter post.
  4. Allow time to fix. Coordinated disclosure window is 90 days, extendable by mutual agreement.
  5. One report, one bounty. Duplicates are paid to the first valid submission only.
07 — Submit

How to submit a report

Send your encrypted report to security@jup.ag using the team's public PGP key, or open a private advisory on the official GitHub jup-ag/security. Include the following:

Report Template 
# Title
[Critical] Brief, descriptive title of the bug

# Severity
Critical | High | Medium | Low

# Affected component
e.g. jupiter-aggregator-program @ commit abc1234

# Summary
2-3 sentences describing the issue and its impact.

# Steps to reproduce
1. Spin up a local validator: `solana-test-validator`
2. Deploy program from branch `repro/issue-XYZ`
3. Run `cargo test --test exploit -- --nocapture`

# Proof of concept
Link to a private gist, repo, or attached zip.

# Impact
Direct loss of user funds, ~$X at current TVL.

# Suggested mitigation
e.g. Add `#[account(constraint = ...)]` check on `vault` account.

# Disclosure
I agree to the 90-day coordinated disclosure policy.
Pro tip: Reports with a working PoC are paid up to 2× faster and almost never get downgraded in severity.
08 — Example

Example: minimum-viable PoC

Here's a sketch of what an unauthorized authority finding might look like. This is illustrative only — do not run against mainnet.

Rust · Anchor PoC 
// PoC: missing authority check on `withdraw_fees`
use anchor_lang::prelude::*;

#[program]
pub mod vulnerable_program {
    use super::*;

    pub fn withdraw_fees(ctx: Context<WithdrawFees>) -> Result<()> {
        // BUG: no `has_one = authority` constraint below — anyone can call.
        let vault = &ctx.accounts.vault;
        let recipient = &ctx.accounts.recipient;

        **recipient.try_borrow_mut_lamports()? += vault.to_account_info().lamports();
        **vault.to_account_info().try_borrow_mut_lamports()? = 0;
        Ok(())
    }
}

#[derive(Accounts)]
pub struct WithdrawFees<'info> {
    #[account(mut)]
    pub vault: Account<'info, Vault>,
    #[account(mut)]
    pub recipient: Signer<'info>,
    // FIX: add `pub authority: Signer<'info>,` and `has_one = authority` above.
}
09 — FAQ

Frequently asked questions

Do I need to be doxxed to claim a bounty?

No. You can stay pseudonymous. Jupiter only requires a valid Solana wallet to receive USDC and a working contact channel (Signal, Telegram, or PGP-signed email).

How fast do I get paid?

Most accepted reports are paid within 7–14 days after the patch is deployed and the disclosure window starts.

Can I disclose the bug publicly afterwards?

Yes — after the 90-day coordinated disclosure window, or earlier with written approval. Public disclosure also makes you eligible for a Hall-of-Fame entry.

What if my report is a duplicate?

The first valid submission gets the full bounty. Duplicates are still acknowledged in the disclosure but are not paid.

Are AI-generated reports accepted?

Only if you've manually validated every claim. Unfiltered LLM output is treated as low-signal noise and will lower your acceptance rate.

Ready to claim your $5,000?

Join the researchers already securing the largest DEX on Solana.

Submit a Report Read the Scope