Security

Here you'll find how we handle security reviews, where our audit reports live, and how our bug bounty works. For reporting steps, safe harbor, and legal terms, read our Security Policy.

On this page
Security auditsBug bountySecurity policy and resources

Security audits

We work with external auditors on major releases and components, and we run internal security reviews as we ship. The full list of external and internal reports — with PDFs — lives in one place.

Browse all audit reports on Espresso Systems' GitHub

A few recent examples — the repo has the full list, dates, and download links:

April 2026
Least Authority
TEE and OP integration smart contracts.
November 2025
Runtime Verification
Proof of Stake (staking) smart contracts.
May 2025
Cantina
Merkle tree and BLS signature scheme.

Bug bounty

We run a bug bounty to reward responsible disclosure of security issues in our smart contracts and other in-scope code. If you find something, please report it using the process in our Security Policy. Eligible reports can qualify for a reward.

Scope

Smart contracts

Stake table contracts
Reward claim
Light client
BLS and Schnorr (Ed-on-BN254) signature verification
PlonK verifier, verification keys, and merkle tree verifier libraries
ESP token and Fee contract
UUPS upgrades, access control, pausability, and timelocks
Earlier contract versions only where they affect upgrade safety

Relevant Rust components (if applicable)

Light client verification and state validation logic
Validator state management and reward merkle tree verification, where applicable

Severity and rewards

Reward tiers are a guide. Actual rewards depend on impact, how easy the issue is to exploit, and how clear your report is. Espresso Foundation decides final amounts.

Low
Up to$1,000
Non-critical edge cases with minimal or no financial impact
Medium
Up to$10,000
Limited-impact exploits
Edge-case logic flaws affecting correctness
High
Up to$100,000
Temporary locking of funds
Bypassing core protocol invariants
Unauthorized actions with meaningful impact
Critical
Up to$250,000
Loss or theft of funds
Permanent freezing of funds
Privilege escalation to admin-level control

Submission requirements

To be eligible for a reward, include the following. Incomplete reports may not qualify.

01Clear description of the vulnerability
02Affected contracts and functions
03Steps to reproduce
04Proof of concept (code, test, or script)
05Impact analysis

How to report

Use our Security Policy for where and how to send a report. We try to acknowledge new reports within a few business days.

Read the Security Policy

Responsible disclosure

When you submit a report, please follow our Security Policy. In short:

Don't go public with the issue until we've fixed it
Don't exploit it beyond what you need to show the impact
Don't touch other people's funds or data

Review process

Our security team triages reports, checks impact, assigns severity based on risk, and works with engineering on fixes. Timing depends on how complex the fix is. Triage, safe harbor, and payouts are all covered in the Security Policy.

Rewards and payment

We pay rewards after we've validated the issue and handled it under the program rules
When you get paid can depend on fix and deploy schedules
We usually pay in cryptocurrency

Additional notes

You're responsible for your own taxes
Espresso Systems makes the final call on severity and reward amount
Sanctioned individuals or entities are not eligible to participate in this bug bounty program or receive rewards

Security policy and resources

Security Policy

How to report, who's eligible, and program terms.

Published audit reports

External and internal PDFs published on GitHub.

GitHub

All Espresso contracts are open source and available for review on GitHub

If you're building on top of Espresso, treat vulnerabilities as confidential until disclosure is coordinated, and use the same reporting path as everyone else.