Since launch, Rootstock has remained secure at the protocol and bridge level, with no successful chain-level or bridge compromises.
That track record is not accidental. It reflects deliberate protocol design, Rootstock’s merged-mined Proof-of-Work security anchored to Bitcoin miners, conservative engineering choices, and sustained security work led by RootstockLabs and trusted ecosystem partners.
As the home of Bitcoin DeFi, Rootstock sits at a critical security boundary between Bitcoin’s security guarantees and the adversarial, fast-evolving world of smart contracts, bridges, and onchain infrastructure.
Securing that interface requires a defense‑in‑depth approach that combines robust protocol design, continuous auditing, internal security engineering, and structured collaboration with the global security research community.
As part of that ongoing effort, RootstockLabs has migrated its public bug bounty program from HackerOne to Immunefi, the leading bug bounty platform for Web3 and onchain security.
A Look Back: Our Bug Bounty Program on HackerOne
RootstockLabs launched its bug bounty program on HackerOne in early 2018, with the goal of continuously validating the security of the protocol and its supporting infrastructure under real adversarial conditions.
Over the course of nearly seven years:
- We received 800+ vulnerability submissions.
- 53 reports were confirmed as valid security issues and patched, with just one reaching critical severity.
- We paid over USD $130,000 in rewards to security researchers.
A subset of key disclosures are now publicly accessible on HackerOne’s Hacktivity page.
Each accepted report directly strengthened Rootstock by identifying edge cases, challenging assumptions, and hardening critical components.
Why Immunefi
As Rootstock and the Bitcoin DeFi ecosystem mature, the system’s attack surface extends beyond individual smart contracts. Consensus‑adjacent components, bridge infrastructure, protocol‑level logic, and cross‑component interactions require deep, crypto‑native security expertise.
By migrating the program to Immunefi, RootstockLabs:
- Aligns with a crypto-native security research community.
- Benefits from a disclosure and triage process purpose-built for blockchain protocols.
- Improves alignment around severity handling and impact classification.
Immunefi specializes in coordinating security research for blockchain protocols and has established itself as the standard platform for identifying high‑impact vulnerabilities across Web3 systems.
A More Explicitly Defined Security Scope
Along with the migration to Immunefi, RootstockLas’s bug bounty program now provides a clearly defined and publicly documented security scope, available on Immunefi:
👉 https://immunefi.com/bug-bounty/rootstocklabs/information/
The scope is designed to make explicit which components, systems, and interactions are in-scope for security research, enabling researchers to focus their efforts with clear expectations around coverage and severity classification.
It includes, among others:
- Rootstock protocol and consensus-adjacent components
- Bridge infrastructure and cross-system interactions
- System contracts and smart contracts
- Developer tooling, APIs, and supporting services
By explicitly documenting the scope, we aim to streamline security research, reduce ambiguity during disclosure and triage, and ensure alignment between researchers and the RootstockLabs security team on what constitutes impactful findings.
Security as an Ongoing Engineering Discipline
For RootstockLabs, security is not a one‑time milestone but an ongoing engineering discipline.
In addition to the public bug bounty program, RootstockLabs security team efforts include:
- Continuous internal security engineering and threat modeling
- Regular third‑party audits and independent security reviews
- Secure development practices across the Rootstock stack
- Monitoring, incident readiness, and response processes
We view public bug bounties as a critical complement to these efforts — a way to continuously test Rootstock under real‑world adversarial conditions while contributing to the security of the broader Bitcoin and Web3 ecosystem.
Rewards and Payouts
The RootstockLabs bug bounty program on Immunefi offers competitive payouts aligned with industry standards for critical onchain infrastructure. Rewards are calibrated based on primacy of impact, with higher payouts for vulnerabilities that could affect consensus, bridge security, fund safety, or protocol integrity.
The program offers up to USD $200,000 for critical blockchain/DLT vulnerabilities, with critical smart contract issues eligible for up to USD $100,000, and graduated rewards across high, medium, and low severities in accordance with Immunefi’s classification framework.
By running the program on Immunefi, we ensure:
- Clear severity classifications and reward guidelines
- A disclosure and triage process designed for blockchain systems
- Timely communication and fair payouts for valid reports
This structure is intended to properly incentivize deep technical research and responsible disclosure of high-impact vulnerabilities.
Next Steps: Get Involved
The RootstockLabs bug bounty program is now live on Immunefi, with a reward structure aligned with Rootstock’s evolving architecture and threat model.
We invite security researchers to review the full scope on Immunefi, test Rootstock under real adversarial assumptions, and responsibly disclose any vulnerabilities they find.
Whether you specialize in smart contracts, protocol-level security, bridges, or system interactions, your work can have a direct impact on the security of Bitcoin DeFi.
👉 Explore the program and submit findings at:
https://immunefi.com/bug-bounty/rootstocklabs/information/
By working together with the security research community, we aim to keep raising the security bar for Rootstock, Bitcoin DeFi, and the broader onchain ecosystem.