Bug Bounty Program

Earn $ISNAD by securing
the agent ecosystem

Find vulnerabilities, improve detection patterns, and contribute to the protocol. Get rewarded in $ISNAD tokens for every valid submission.

View BountiesGitHub →
$ISNAD paid
open bounties
contributors
Active Bounties

Current open bounties awaiting submissions. Claim your reward by submitting a solution via GitHub issues with the bounty label.

Loading bounties...
View All on GitHub →
Bounty Tiers

Bounty rewards are aligned with ISNAD staking tiers. Higher-impact contributions earn proportionally higher rewards.

TierReward
🔴Critical Pattern1,000 $ISNAD
🟠Detection Improvement500 $ISNAD
🟡New Scanner Rule200 $ISNAD
🟢Documentation100 $ISNAD
🔵Bug Report50-200 $ISNAD
Special Bounties

High-value bounties for exceptional contributions to ecosystem security.

🔍
Skill Audit Bounty
2,500 $ISNAD
Find a DANGER-level security issue in a popular ClawHub skill. The skill must have >100 installs and the issue must be verifiable.
🛡️
Bypass Bounty
5,000 $ISNAD
Demonstrate a detection evasion technique that bypasses isnad-scan. Requires responsible disclosure and working proof-of-concept.
How to Submit
1
Find a bounty
Browse active bounties above or check GitHub issues with the bounty label
2
Do the work
Write the detection pattern, fix the bug, or create the documentation
3
Submit via GitHub
Open an issue or PR with your submission, including tests and documentation
4
Review period
Core team reviews submissions (typically 3-7 days)
5
Get paid
Approved submissions receive $ISNAD tokens to your connected wallet
Submit a Bounty Claim
Leaderboard

Top contributors who've earned $ISNAD through bounties.

Loading leaderboard...

Leaderboard is live from GitHub. Claim bounties to see your name here.

Rules & Eligibility
Original work only
Submissions must be your own work. Plagiarism results in permanent ban.
One submission per bounty
Submit your best work once. Multiple low-effort submissions are discouraged.
Working code required
All code submissions must include tests and pass CI.
Responsible disclosure
Security vulnerabilities must be reported privately first via security@isnad.md.
English documentation
Code comments and docs must be in English. Translations count as Documentation bounties.
Core team decision is final
Bounty approval is at the discretion of the ISNAD core team.

Note: Bounties are paid in $ISNAD tokens on Base L2. You'll need a connected wallet to receive payment. Tokens are subject to the same vesting schedule as staking rewards.