Over the past two years, Meta Earth has steadily advanced its work across modular blockchain infrastructure, on-chain identity, and ecosystem development. To date, the number of ME IDs (verified on-chain user identities) has surpassed 5.7 million, with a growing community continuing to join the Meta Earth ecosystem. As the network scales, one thing has become increasingly clear: a thriving developer ecosystem and a robust security foundation will be the cornerstones of Meta Earth's next phase.
To further solidify the foundation of ecosystem development and comprehensively enhance the stability and security of the testnet and development environment, MetaEarth Devs officially launches the Meta Earth Bug Bounty security reward program. The program will be rolled out in three phases, with a total prize pool valued at $300,000 worth of $MEC, and a maximum reward of $5,000 worth of $MEC per individual for a single vulnerability.
Phase 1 is now officially live, with a prize pool valued at $100,000 worth of $MEC. We sincerely invite security researchers and developers worldwide to participate and jointly safeguard the security of the Meta Earth ecosystem.
Program Dates
Bug Bounty Phase 1:
May 27, 2026, 07:00 UTC – June 17, 2026, 07:00 UTC
Program Rules
Scope for This Phase
ME Hub (Settlement Layer)
| Module | Testing Direction |
| ME Hub (Settlement Layer) | Sequencer registration mechanism, consensus mechanism (CometBFT), validator voting and block production, AppHash consistency issues, wstaking module staking business, wgov module proposal governance, Gravity module cross-chain bridge fund security, wmint module token minting logic, wdistri module national/regional reward distribution mechanism, Gas fee charging mechanism, RollApp module state submission, DID module identity management, KYC module identity authentication, megroup module group-joining rewards. |
As the relayer and contract code for Meta Earth Bridge are not yet open-sourced, the Bridge is excluded from the scope of this Bug Bounty. For reference, developers are welcome to study the source code of the Gravity, BSC, and TRON modules.
Out of Scope
| Category | Description |
| Third-Party Integrations | Wallets or other third-party integration services not officially maintained by Meta Earth |
| Known Issues | Bugs that have been publicly disclosed and flagged prior to the program start (as listed in known-issues.md) |
| Social Engineering | Social engineering attacks, including phishing, scams, and impersonation |
| Mainnet Attacks | Any testing or attack activity targeting the Meta Earth Mainnet |
| Physical Infrastructure | Security issues involving physical-layer assets such as data centers and server hardware |
Rewards
| Severity | Definition (Testnet Scope) | Reward Range($MEC) | Typical Examples |
| 🔴 Critical | Modules involving external chain fund security, consensus mechanisms, and state verification, including CometBFT consensus mechanism, validator voting and block production, AppHash state consistency, and Gravity module cross-chain bridge fund security. | $2,000 – $5,000 | CometBFT consensus vulnerability |
| 🟠 High | Issues in core business modules affecting system availability and data integrity — including wstaking (flexible / fixed-term staking), wgov (governance proposals), wmint (token issuance logic), wdistri (regional reward distribution), RollApp state submission, and Sequencer management. | $1,000 – $2,000 | RollApp unable to submit state; cross-chain messages dropped |
| 🟡 Medium | Modules affecting identity authentication and associated business processes, including Gas fee mechanism, DID identity management, KYC identity authentication, and ME Group group-joining reward mechanism. | $100 – $1,000 | KYC authentication level, authentication status, group-joining status, group-joining rewards |
| 🟢 Low | Issues related to non-core modules such as documentation and UI/UX. | $50 – $100 | Explorer displays errors; inaccurate error messages |
How to Participate
1. Please fill in the information at https://forms.gle/4AZisbddFWbnHS4M8 so that we can keep you updated on your activity progress and distribute rewards in a timely manner.
2. Submit your bug directly on GitHub during the program period, using the template below:
Vulnerability Title
[Provide a one-sentence summary, e.g. “Memory leak during ME-HUB node synchronization”]
Affected Module
- ME-Hub
- Sequencer
- SDK/API
- Documentation
- Explorer/UI
Vulnerability Description
[Describe the issue in detail, including how it can be triggered and what the potential impact is.]
Reproduction Steps
PoC (Required for Medium severity and above)
[Code / scripts / screenshots / screen recordings]
Environment Information
- Testnet block height:
- Is it consistently reproducible:
3. Upon successful submission, your report will enter the official review process.
| Stage | Timeframe | Description |
| Submission Acknowledged | T + 1 business day | Official email confirmation that the issue has been received |
| Technical Reproduct1ion | T + 3–5 business days | Technical team completes bug reproduction, risk assessment, and severity classification; results shared with the submitter |
| Reward Distribution | Within 7 business days after the event concludes | Rewards transferred to the wallet address provided by the submitter(Final reward amount confirmed and communicated to the submitter) |
Program Guidelines
- If multiple participants submit the same bug, the earliest submission timestamp takes precedence; selected valid submitters among the rest may receive an additional official reward.
- Every submission must include the testnet block height or transaction hash (Tx Hash). The technical team will reproduce and verify each report in the public testnet environment.
- To prevent bulk low-quality submissions, low-severity vulnerabilities are capped at 3 rewarded submissions per participant per week. There is no submission limit for medium-severity vulnerabilities and, above — we strongly encourage high-quality, reproducible reports.
- All approved bug submission links will be published across X, the full blog post, and the official program landing page, ensuring full traceability and a fair, transparent process.
- Please submit your $MEC address (generated via ME Pass) to receive rewards. All earned $MEC can be freely exchanged to USDT and withdrawn anytime. Download ME Pass from our official website or App Store.
- Rewards for the event will be distributed in $MEC of equivalent value, with the conversion rate based on the real-time price on the day of distribution.
- MetaEarth Devs reserves the right of final interpretation for this program.
Help Build a More Secure MetaEarth
What MetaEarth Devs aims to build is more than a developer community — it's an open, collaborative ecosystem where contributors work together to surface issues, refine the system, and drive the continuous evolution of Meta Earth's underlying infrastructure. That's why we're starting with a Bug Bounty: by opening up our testnet and establishing community collaboration mechanisms, we want developers to be genuinely part of how the network is built and improved.
Every vulnerability report, every edge-case test, every technical verification brings Meta Earth one step closer to the stability, security, and scalability required to support large-scale Web3 applications in the future.
If you'd like to be part of building modular network security, we'd love to have you in the Meta Earth Bug Bounty. We can't wait to see what you find.
