Welcome to our Bug Bounty Program. We want Unifyd protocol to be the best it can be, so we’re calling on our community to help us find any bugs or vulnerabilities. Submit a bug here and earn a reward of up to USD 250,000$. Please see our Rules & Rewards section for more details.
Rules
- Public disclosure of a vulnerability would make it ineligible for a reward.
- Technical knowledge is required for the process.
- Duplicated issues are not eligible for reward. The first submission would be the eligible one.
- If you want to add more information to a provided issue, create a new submission giving reference to the initial one.
- Rewards will be decided on a case by case basis and the bug bounty program, terms, and conditions are at the sole discretion of Unifyd.
- Rewards will vary depending on the severity of the issue. Other variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
- Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Unifyd.
- Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
- Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission process unvalid.
- Terms and conditions of the bug bounty process may vary over time.
- Our bug bounty follows a similar approach as Ethereum Bug Bounty. The severity of the issues will be based according to the OWASP risk rating model based on Impact and Likelihood.
- It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be elegible for a reward.
Rewards
| Almost certain | $ 1,000 | $ 5,000 | $ 10,000 | $ 50,000 | $ 250,000 |
| Likely | $ 500 | $ 1,000 | $ 5,000 | $ 10,000 | $ 50,000 |
| Possible | $ 100 | $ 500 | $ 1,000 | $ 5,000 | $ 10,000 |
| Unlikely | $ 100 | $ 100 | $ 500 | $ 1,000 | $ 5,000 |
| Almost possible | $ 100 | $ 100 | $ 100 | $ 500 | $ 1,000 |
| Very low | Low | Moderate | High | Severe |
Vulnerabilities Classification
Critical: An issue that might cause immediate loss of > 10% of the funds, or permanent impairment of the protocol state.
Very High / High: An issue that might cause immediate loss of < 10% of the funds, or severely damage the protocol state.
Medium: An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.
Low / Very Low / Note: An issue that might cause user dissatisfaction or minimal failure.
Exclusions
While researching, we’d like to ask you to refrain from:
- Denial of service
- Spamming
- Social engineering (including phishing) of Unifyd staff or contractors
- Any physical attempts against Unifyd property or data centers
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Submit a bug
Please report the bug you found via this email address: report@unifyd.finance. Try to be as specific and clear as possible when you fill out this form. We will be in touch as soon as possible after receiving the form.