Bug bounty rewards are determined by severity according to CVSS, the Common Vulnerability Scoring Standard. All final reward decisions will be determined by the CertiK Foundation.
1. Reporting Stage
For all UI and UX bugs, please submit bugs and issues on the Explorer and Wallet category via the CertiK Chain Forum.
For all security vulnerabilities, email the content privately at chain+security@certik.org following the bug report template.
2. Processing Stage
In about one (1) business day, the CertiK Chain team will confirm the threat intelligence per bug ticket. Our security engineers will follow up, evaluate the problem, and feed the intelligence back to the reporter with a 'Under Review' status.
In about four (4) business days, the CertiK Chain team will address the issue, draw conclusions, and record points with a 'Confirmed' or 'Ignored' status. Our security engineers will communicate with the reporter and ask for assistance if necessary.
3. Repairing Stage
The CertiK Chain team will then address the threat intelligence and update the status with 'Fixed' or 'Repaired.' The repairing timeframe depends on the problem severity and the difficulty on a case-by-case basis.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Reports out of scope will not be considered. Please review the scope before submitting.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Avoid all privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- Any attacks that could cause physical damage or incur costs to other’s property is prohibited.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
