Critical Bugs Wanted: $5K Max, Instant Coffee Money Edition—Circle's Arc Bug Bounty Gets Roast

Circle's new bug bounty program for Arc, its public layer-1 blockchain dubbed the "Economic OS for the internet," is open for business. There's just one small catch: the max payout for critical vulnerabilities is $5,000. That's roughly three months of oat milk lattes or one moderately disappointing Ethereum gas day. The company opened its testnet code and node software for public review as it pushes toward mainnet. Arc is built to support stablecoins, tokenized assets, and global markets on shared infrastructure. Sounds ambitious, like promising to revolutionize email while offering $5 to fix that one bug that bricked everyone's inbox. The bounty program, however, has drawn fire.

Blockchain investigator ZachXBT took to X to sound the alarm, suggesting he could personally match the "lowball joke" of a Circle bug bounty if a grey hat researcher decided to go solo. Ouch. For those counting at home, that's roughly the price of a mid-tier graphics card—perfect for either mining or discovering critical exploits, but somehow only suitable for one.

The Reward Breakdown: Critical findings: $3,000–$5,000 (6.90% of submissions). High-severity issues: $800–$3,000 (6.90%). Medium-severity findings: $400–$800 (44.83%). Low-severity reports: $150–$400 (41.38%). Notably, the table lists no average bounty for high or critical reports. That silence speaks volumes, louder than your family at Thanksgiving when you mention you're still "into crypto."

Circle says the campaign aims to widen external review before launch. Researchers are asked to focus on reproducible findings affecting network safety, liveness, correctness, or reliability. Translation: find our billion-dollar infrastructure flaws, but maybe grab a coffee on us. Actually, scratch that—$5,000 won't cover the therapy bills from reading the code.

The Fine Print: Circle aims to send a first response within five business days of report submission. Triage is set at 10 business days, with bounty decisions within 10 days after triage. Resolution time varies by severity and complexity. So in theory, you'll have your rejection letter within a month. In practice, we all know what "varies by complexity" means in corporate speak—it means "we'll get back to you when Bitcoin does 10x again."

One bug per report unless chaining is needed to demonstrate impact. Duplicate submissions? Only the first fully reproducible report qualifies. Multiple bugs sharing a root cause count as a single bounty case. Because apparently, if your smart contract has 47 ways to implode, that's just "one creative approach to losing funds."

Participants must be 18+, comply with applicable laws, and cannot be Circle employees (or their immediate family members). U.S.-embargoed jurisdictions and restricted lists are excluded. Sorry, North Korea—your cryptographic prowess will have to go uncompensated this time.

By filing, participants grant Circle and affiliates broad rights to use and share the submission. Because nothing says "we value your expertise" like asking you to gift