Circle is facing criticism after setting a maximum reward of $5,000 for critical vulnerabilities in its bug bounty program tied to Arc, a public layer-1 blockchain. The payout cap drew attention as the company opened its testnet code and node software for public review.
Arc is described as an Economic OS for the internet. The platform is built to support stablecoins, tokenized assets, and global markets on shared infrastructure. The program comes as Arc moves toward the mainnet.
Circle’s Arc Bug Bounty Faces Criticism Over Payout Cap
Blockchain investigator ZachXBT criticized the payout structure in a post on X. He wrote that he could match the “lowball joke” of a Circle bug bounty program with his personal funds if a grey hat researcher chose to exploit it for themselves.
Circle said the campaign is meant to widen external review before launch. It asked researchers to look for reproducible findings that could affect network safety, liveness, correctness, or reliability.
The sharpest reaction focused on the top reward tier. The program offers between $3,000 and $5,000 for critical findings. Critical reports account for 6.90% of all submissions listed in the rewards table.
High-severity issues are eligible for payouts of $800 to $3,000. That category also accounts for 6.90% of submissions. The table lists no average bounty for either high or critical reports.
Medium-severity findings offer rewards from $400 to $800. This is the largest share of submissions at 44.83%. Low-severity reports range from $150 to $400 and account for 41.38% of total submissions.
Platform Sets Bounty Timelines and Rules
Circle said it aims to send a first response within five business days of a report being filed. The program sets triage at 10 business days from submission. It also says bounty decisions are made within 10 business days after triage.
The company said resolution time would depend on the severity and complexity of each case. It also requires one vulnerability per report unless chaining is needed to show impact. If duplicate reports are filed, only the first fully reproducible one would qualify for a reward.
Circle said multiple bugs tied to one root cause would be treated as a single bounty case. The program is limited to participants aged 18 or older. It also requires compliance with applicable laws and regulations.
The company excludes its employees and their immediate family members from the program. It also bars residents of U.S.-embargoed jurisdictions and people on restricted lists. By filing a report, participants grant Circle and its affiliates broad rights to use and share the submission.
Related: Circle Unveils Post-Quantum Roadmap for Arc Blockchain