# Anyone Bug Bounty Program The Anyone Bug Bounty program is now live! Here, you can find each competition track, the prizes, starting information and other conditions. For more context on the Bug Bounty contest, check out our [Medium Article](https://anyone-protocol.medium.com/the-anyone-bug-bounty-program-c31e3e2a493c). {% hint style="success" %} **Submitting your success proofs** To ensure anonymity of participants and broaden ecosystem use-case, you submit your bug bounty proofs via a form in a dedicated **hidden service** in the Anyone Network. To access, fire up the Anyone client and go to the below page:\ {% endhint %} ## Competition Tracks #### Code Archaeology (Easy) **Target:** Anyone public repositories and commit history.\ **Objective:** Find leaked secrets/tokens/credentials from Anyone’s GitHub account.\ **Success proof:**\ — Link to the commit/file,\ — Show it’s not cycled and is still active,\ — Show it was accessible outside the org (e.g., your Action run).\ **Bounty:** **A hardware relay** given for each of the first 10 unique secrets.\ **Starting Info:** Use our GitHub organization #### Operations Chamber (Medium) **Target**: Ops UI endpoint\ **Objectives**: * Bypass oauth2\_proxy without valid creds * Access services you shouldn’t be able to * Escalate read-only to write if possible **Success proof**: Screenshot of unauthorized access and HTTP logs of your requests.\ **Bounty**: **2000 tokens** for each of first 3 unique exploits.\ **Starting Info**: Target the ops endpoint at (`*.ops.anyone.tech`) #### Process Hijack: AO Protocol (Hard) **Target:** Staging AO processes (relay/staking/operator registry).\ **Objective:** Perform unauthorized write ops or escalate privileges from read-only.\ **Success proof:** Process transaction ID and method documentation.\ **Bounty:** **5000 tokens** for each of the first 3 unique exploits.\ **Starting Info**: Attempt to compromise the below AO processes * `GDcOVcu5FQk5oYYC_fDxDzOpiKRFLpOqoIxF9ATTAjc` * `AQIxBWYFpyplmKnl72UkXGgTZAPXBKPuQsDQ9O45bZ0` * `XJQw0fL7HB0Uclcn6tAxLXjjqFSSZgNiSlpy96unxbk` #### Hodler's Vault: EVM Smart Contracts (Hard) **Target:** Staging Hodler contract (address will be provided).\ **Objective:** * Drain funds, * Manipulate state, reentrancy, or any critical vulnerability **Success proof:** Transaction hash on staging and detailed exploit writeup.\ **Bounty:** **10,000 USDT.**\ **Starting Info**: Focus on the following Sepolia smart contract: * `0xB2B365DC481E9527366b29dE9394663A05743Aa9` #### Walls of Anyone: Server Boundaries (Very Hard) **Target**: Break into a designated dev-box with reference setup\ **Objective**: * Gain unauthorized SSH access, or * Bypass firewall rules * Privilege escalation to `root` role **Success proof**: Generate a syslog entry: `CTF_FLAG_FORTRESS_[your_pubkey]_[timestamp]`\ **Bounty:** **20,000 USDT.**\ **Starting Info**: We have made public the IP address of the server: * `95.216.68.239` ## Rules and Scope ### In Scope: 1. **Servers:**\ \- Operating System\ \- SSH\ \- Firewall\ \- WireGuard interface 2. **Mesh Endpoints:**\ \- oauth2\ \- Grafana\ \- Network information services 3. **GitHub:**\ \- Public repositories\ \- Commit history\ \- GitHub Actions configs / CI/CD 4. **Blockchain:**\ AO processes:\ \- *Relay rewards*\ \- *Staking rewards*\ \- *Operator registry* ### Out of Scope 1. **Resources:** **-** Production/live infra,\ \- Team member personal accounts/emails,\ \- Community member data, any endpoints not listed here\ \- Live/mainnet contracts or processes. 2. **Techniques:** \- DDoS/resource exhaustion,\ \- Phishing team or community,\ \- Access/modify other participants’ submissions,\ \- Modify/delete data (proving you could is enough),\ \- Publish details before fixes or before the program ends.\ \- Utilizing zero-day bugs to pass challenges. ### ⏰ Challenge Deadline: The deadline to submit to the bug bounty program is **19th November 2025.** Good luck to all participants!