Anyone Bug Bounty Program

The Anyone Bug Bounty program is now live! Here, you can find each competition track, the prizes, starting information and other conditions. For more context on the Bug Bounty contest, check out our Medium Article.

Submitting your success proofs

To ensure anonymity of participants and broaden ecosystem use-case, you submit your bug bounty proofs via a form in a dedicated hidden service in the Anyone Network. To access, fire up the Anyone client and go to the below page: http://2sx274i4dadq3ijo27lj55xi5q7paodkfq6g5mi4jz57dt2nztpqmdad.anon

Competition Tracks

Code Archaeology (Easy)

Target: Anyone public repositories and commit history. Objective: Find leaked secrets/tokens/credentials from Anyone’s GitHub account. Success proof: — Link to the commit/file, — Show it’s not cycled and is still active, — Show it was accessible outside the org (e.g., your Action run). Bounty: A hardware relay given for each of the first 10 unique secrets. Starting Info: Use our GitHub organization https://github.com/anyone-protocol

Operations Chamber (Medium)

Target: Ops UI endpoint Objectives:

  • Bypass oauth2_proxy without valid creds

  • Access services you shouldn’t be able to

  • Escalate read-only to write if possible

Success proof: Screenshot of unauthorized access and HTTP logs of your requests. Bounty: 2000 tokens for each of first 3 unique exploits. Starting Info: Target the ops endpoint at (*.ops.anyone.tech)

Process Hijack: AO Protocol (Hard)

Target: Staging AO processes (relay/staking/operator registry). Objective: Perform unauthorized write ops or escalate privileges from read-only. Success proof: Process transaction ID and method documentation. Bounty: 5000 tokens for each of the first 3 unique exploits. Starting Info: Attempt to compromise the below AO processes

  • GDcOVcu5FQk5oYYC_fDxDzOpiKRFLpOqoIxF9ATTAjc

  • AQIxBWYFpyplmKnl72UkXGgTZAPXBKPuQsDQ9O45bZ0

  • XJQw0fL7HB0Uclcn6tAxLXjjqFSSZgNiSlpy96unxbk

Hodler's Vault: EVM Smart Contracts (Hard)

Target: Staging Hodler contract (address will be provided). Objective:

  • Drain funds,

  • Manipulate state, reentrancy, or any critical vulnerability

Success proof: Transaction hash on staging and detailed exploit writeup. Bounty: 10,000 USDT. Starting Info: Focus on the following Sepolia smart contract:

  • 0xB2B365DC481E9527366b29dE9394663A05743Aa9

Walls of Anyone: Server Boundaries (Very Hard)

Target: Break into a designated dev-box with reference setup Objective:

  • Gain unauthorized SSH access, or

  • Bypass firewall rules

  • Privilege escalation to root role

Success proof: Generate a syslog entry: CTF_FLAG_FORTRESS_[your_pubkey]_[timestamp] Bounty: 20,000 USDT. Starting Info: We have made public the IP address of the server:

  • 95.216.68.239

Rules and Scope

In Scope:

  1. Servers: - Operating System - SSH - Firewall - WireGuard interface

  2. Mesh Endpoints: - oauth2 - Grafana - Network information services

  3. GitHub: - Public repositories - Commit history - GitHub Actions configs / CI/CD

  4. Blockchain: AO processes: - Relay rewards - Staking rewards - Operator registry

Out of Scope

  1. Resources:

    - Production/live infra, - Team member personal accounts/emails, - Community member data, any endpoints not listed here - Live/mainnet contracts or processes.

  2. Techniques:

    - DDoS/resource exhaustion, - Phishing team or community, - Access/modify other participants’ submissions, - Modify/delete data (proving you could is enough), - Publish details before fixes or before the program ends. - Utilizing zero-day bugs to pass challenges.

⏰ Challenge Deadline:

The deadline to submit to the bug bounty program is 19th November 2025. Good luck to all participants!

PreviousVPS Hardening & Best PracticesNextSubmissions Round 1

Last updated