The ESP32 Security Bug Bounty Is Still On!

Shanghai, China
Nov 1, 2018

Since March 2015, Espressif has run a bug-retrieving program which rewards users who find bugs in ESP8266 and ESP32 SDKs. The ESP8266 program ended in July 2018, but the ESP32 Bug Bounty is still on!

Espressif’s ESP32 Security Bug Bounty is still on, offering 500 USD to any developer who reports a proven, yet previously unknown, security-related bug in our latest ESP-IDF. Additionally, 1,729 USD will be awarded, as applicable, for proof of concept! 

Bugs irrelevant to security cannot be accepted in the ESP32 Bug Bounty Program, so you might want to check again a few things about our Flash Encryption and Secure Boot. Also, developers should focus only on the latest version of our ESP-IDF. If multiple developers report the same bug, the award will be given to the first one who files a properly substantiated bug report.

To report a bug, you should go to our web-forum, find  our bug-reporting form, fill it in  and send it to You must include all the details about the bug, including the bug name, its description and the ESP-IDF version in which you found it, as well as all the relevant hardware information, test steps, reference codes, log output, and anything else that could help us reproduce and verify the reported bug. 

We cannot accept reports not properly submitted, including incomplete or false reports. We may also ask for clarifications if needed.  


    1. You will receive an email acknowledging the receipt of your bug report.
    2. Then, our engineers will review your report and determine whether it is valid or not. The duration of the review may vary, depending on the complexity and completeness of your report, as well as the number of bug reports we receive. In any case, we shall try and send you an update on your bug report as soon as possible.
    3. Once the bug review is completed, we shall contact you and, if your report is found to be successful, we shall ask you to provide us with all the necessary information that will facilitate your payment.
    4. All participants will be contacted before Espressif publicly announces the fixes of any bugs retrieved through the ESP32 Bug Bounty Program.


In general, we shall make payments via a bank transfer. Award recipients are responsible for dealing with any tax implications that their cash award might have in their countries/ states/ provinces.


Espressif reserves the right to determine whether a bug report is valid. Decisions made by Espressif are final and binding. 

We look forward to your receiving your entries!

Share this article
Reuse this content