Operator: JMS Media Group LLC (Wyoming, USA; Filing ID 2026-001951812) — the legal entity behind the UltraDAG project and the payer of record for all bounty rewards.
Status: Active — Testnet (Mainnet paused as of 2026-04-22)
Launch Date: March 8, 2026
Mainnet Genesis: April 10, 2026
Mainnet Paused: April 22, 2026
Total Pool: 500,000 UDAG
UltraDAG is offering rewards for security researchers who discover and responsibly disclose vulnerabilities in the UltraDAG codebase. Mainnet is currently paused; testing runs on testnet only. Testnet nodes are reachable at ultradag-node-[1-2].fly.dev:9333 (P2P) and https://ultradag-node-[1-2].fly.dev (RPC).
Valid reports are rewarded in UDAG and recorded in the append-only LEDGER.md. Payout in mainnet UDAG is deferred while mainnet is paused but every ledger entry remains binding per the program's testnet-reset-safety policy — the commitment is the git-tracked entry plus the hunter's key, not the chain state. See LEDGER.md → Testnet Reset Safety.
- P2P port 9333 is public on both testnet nodes at
ultradag-node-[1-2].fly.dev:9333. - RPC port 10333 is public at
https://ultradag-node-[1-2].fly.devfor reads and transaction submission. - Please do not DoS the testnet. In-scope attacks are those demonstrating a protocol or implementation bug via a minimal PoC — not brute traffic floods. If you can crash or halt a testnet node with a single crafted message, that's a valid Critical; sustained DoS traffic is out of scope and may be reported to the hosting provider.
- Mainnet attack surfaces remain in scope for review — any bug you find against the current codebase is eligible regardless of whether it's exercisable on a live mainnet today. The vulnerability class is what matters for the reward tier.
In Scope:
- Consensus mechanism (DAG, finality, validator logic)
- P2P networking layer
- State engine and transaction processing
- Staking mechanism
- RPC endpoints and rate limiting
- Memory safety and resource management
- Cryptographic implementations
Out of Scope:
- Third-party dependencies (report to upstream)
- Social engineering attacks
- Physical attacks on infrastructure
- Testnet-only issues that won't affect mainnet
Vulnerabilities that could catastrophically compromise the network:
- Consensus breaks: Double-spend, finality violation, fork attacks
- Network-wide failures: Permanent stalls, cascading crashes
- Cryptographic breaks: Private key extraction, signature forgery
- State corruption: Supply inflation, balance manipulation
- Examples:
- Exploit allowing creation of UDAG from nothing
- Attack forcing permanent network halt
- Method to finalize conflicting transactions
Severe vulnerabilities affecting availability or individual nodes:
- DoS attacks: Crash individual nodes or small groups
- Resource exhaustion: Memory leaks, CPU exhaustion
- Staking exploits: Unauthorized unstaking, reward manipulation
- Network attacks: Partition attacks, eclipse attacks
- Examples:
- Crafted message causing node crash
- Method to prevent validator from producing vertices
- Exploit to steal staking rewards
Moderate vulnerabilities with limited impact:
- RPC vulnerabilities: Authentication bypass, data leakage
- Rate limiting bypass: Circumventing DoS protections
- Mempool manipulation: Transaction censorship, fee manipulation
- DAG pruning bugs: Data loss, incorrect state
- Examples:
- Bypass rate limiting to spam transactions
- Cause mempool to reject valid transactions
- Trigger incorrect DAG pruning
Minor issues with minimal security impact:
- Input validation: Missing checks, edge cases
- Performance issues: Inefficient algorithms, slow queries
- Documentation errors: Critical security documentation gaps
- Minor bugs: Edge cases in non-critical paths
- Examples:
- Missing null checks in RPC handlers
- Inefficient DAG traversal causing slowdown
- Incorrect error messages leaking info
- Test against live testnet: https://ultradag-node-1.fly.dev
- Use provided tools: faucet, RPC endpoints, monitoring scripts
- Document reproduction steps clearly
DO NOT:
- Publicly disclose before fix is deployed
- Exploit vulnerabilities for personal gain
- Attack the network maliciously
- Share vulnerabilities with others
DO:
- Report privately via GitHub Security Advisory
- Provide detailed reproduction steps
- Suggest potential fixes if possible
- Allow 90 days for fix before public disclosure
Create a GitHub Security Advisory with:
## Vulnerability Summary
[One-line description]
## Severity
[Critical/High/Medium/Low] - [Your assessment]
## Affected Component
[Consensus/Network/RPC/State/etc.]
## Reproduction Steps
1. [Detailed step-by-step]
2. [Include commands, code, or scripts]
3. [Expected vs actual behavior]
## Impact
[What can an attacker achieve?]
## Suggested Fix
[Optional - your recommendation]
## Testnet Address
[Your testnet address for reward: udag1...]- Acknowledgment: Within 24 hours
- Validation: 1-7 days (we reproduce the issue)
- Severity Assessment: Team evaluates impact and assigns tier
- Fix Development: 7-90 days depending on severity
- Reward Distribution: After fix is deployed and verified
- Courtesy testnet UDAG payment to the testnet address you included in
your report — a visible "we took this seriously" signal plus a working
balance for further testing. This is NOT the binding commitment. See
LEDGER.md→ Testnet Reset Safety for why. - Append-only entry in
LEDGER.md— the actual binding commitment. Git-tracked, signed by the maintainer commit, survives any testnet reset. - Acknowledgment reply on the private GitHub Security Advisory with the severity assessment, reward range, and planned timeline.
Mainnet genesis was 2026-04-10; mainnet is currently paused as of 2026-04-22. Every entry in the ledger converts 1:1 to mainnet UDAG under the following rules:
- Vesting schedule: 25% unlocked at the vesting anchor (immediate), 75% vested linearly over the 12 months following.
- Vesting anchor date:
- Pre-mainnet reports (2026-03-08 through 2026-04-10): anchor = 2026-04-10
- Post-mainnet reports: anchor = validation date
- Claim process: the hunter signs a maintainer-supplied challenge with the Ed25519 secret key (or passkey) behind their testnet address. This proves ownership without needing the testnet address to hold any balance or for the testnet to even still be running.
- Pause handling: while mainnet is paused, claim windows open as soon as mainnet is re-enabled. The vesting anchor rule above still applies — a paused period does not reset or delay the anchor. Entries already accrued continue to accrue the 12-month linear vest.
Testnet reset safety: testnet --clean restarts do not affect any ledger
entry. The commitments live in git, not on the testnet chain. See the
testnet reset safety section in
LEDGER.md for the full explanation.
✅ Allowed:
- Security researchers, developers, anyone
- Automated tools and fuzzing
- Multiple submissions per person
- Team submissions (reward split as specified)
❌ Not Allowed:
- UltraDAG team members and immediate family
- Vulnerabilities discovered during paid audits
- Issues already known or reported
- Duplicate submissions (first valid report wins)
Valid submissions must:
- Be reproducible on current testnet
- Include clear proof-of-concept
- Represent a real security risk
- Not be publicly known
Invalid submissions:
- Theoretical issues without PoC
- Already fixed vulnerabilities
- Out-of-scope items
- Spam or low-effort reports
- Private disclosure required: 90-day embargo
- Coordinated disclosure: We'll work with you on timing
- Credit: You'll be credited in release notes (if desired)
- CVE assignment: For critical/high severity issues
- Nodes:
https://ultradag-node-[1-5].fly.dev(5 nodes, use any for queries) - Faucet:
curl -X POST https://ultradag-node-1.fly.dev/faucet -H "Content-Type: application/json" -d '{"address":"tudg1...","amount":10000000000}'(amount is in sats; 10,000,000,000 sats = 100 UDAG, the per-request max; rate-limited to 1 request per 10 minutes) - RPC Docs:
docs/reference/api/rpc-endpoints.md
- Send malformed transactions
- Spam RPC endpoints
- Create conflicting DAG vertices
- Manipulate staking state
- Partition network connections
- Exhaust node resources
Total Allocated: 500,000 UDAG
Total Awarded: 0 UDAG (as of April 11, 2026)
Active Hunters: 0
Vulnerabilities Fixed: 0
Updated monthly in LEDGER.md.
Q: Can I test on mainnet when it launches?
A: No. Mainnet attacks are illegal. This program is testnet-only.
Q: What if I find something but can't reproduce it reliably?
A: Submit anyway with as much detail as possible. We'll investigate.
Q: Can I share my findings with my team?
A: Yes, but only for collaboration on the submission. No public sharing.
Q: What if my submission is rejected?
A: We'll provide detailed reasoning. You can appeal or resubmit with more evidence.
Q: How do I get testnet UDAG to start testing?
A: Use the faucet endpoint. Cap is 100 UDAG (10,000,000,000 sats) per request, rate-limited to 1 request per 10 minutes. See GUIDE.md for the exact curl command.
Q: Is there a maximum reward per person?
A: No limit, but we reserve the right to adjust for extraordinary circumstances.
- Security Issues (private):
https://github.com/UltraDAGcom/core/security/advisories/new
or click the green "Report a vulnerability" button at
https://github.com/UltraDAGcom/core/security. See
SECURITY.mdin the repo root for the full disclosure policy and response SLAs. - General questions (public): Create a GitHub Discussion at https://github.com/UltraDAGcom/core/discussions. Do NOT post vulnerability details there.
- This program is subject to change at any time
- Final reward amounts are at UltraDAG team's discretion
- Participation constitutes agreement to these terms
- Mainnet conversion is a binding commitment
- All decisions are final
Last Updated: April 11, 2026
Program Version: 1.1
Next Review: May 11, 2026