👾Bug bounty
Last updated
Last updated
The safety of our platform and users is our top priority and we gladly work with security researchers, auditors and experts as well as our community to achieve this goal.
Our bug bounty program offers generous rewards to incentivise responsible disclosure of security issues and vulnerabilities within our platform and smart contracts.
The rewards in our bug bounty program are allocated based on the impact and severity of the identified issue or vulnerability. When assessing the severity, we take into account various factors such as exploitability, complexity, required privileges to successfully execute an attack and the degree of user interactivity involved. These considerations help us determine the potential risks and consequences associated with each vulnerability.
Our severity rankings provide a clear framework for categorizing vulnerabilities, and the corresponding reward ranges are as follows:
| Severity | Reward | Description and examples |
|---|---|---|
When disclosing security breaches, please use the email address team@goneuron.xyz
We will then triage and respond within typically 72 hours, confirming the defect and classification or rejecting the report.
We will then agree an embargo duration allowing us to resolve the issue and pay any bounties owed
To ensure a fair and responsible bug bounty program, we have established specific rules and guidelines. These rules help maintain the integrity of the program and ensure a safe testing environment.
The following rules apply:
Only the first submission of a defect is eligible for a reward: To avoid duplicate submissions and streamline the evaluation process, we consider only the first report of a specific vulnerability for reward consideration.
Testing with mainnet or public testnet contracts is not allowed: To protect the stability and security of our production systems, we restrict testing activities to private testnets. Please refrain from testing on the mainnet or public testnet contracts.
Attempting phishing or other social engineering attacks: Engaging in any form of phishing or social engineering attacks against our employees or customers is strictly prohibited. Our bug bounty program focuses solely on technical vulnerabilities and responsible disclosure practices.
Denial of service attacks on off-chain infrastructure: We do not permit the testing of denial of service attacks on our off-chain infrastructure, including APIs or other related services. This restriction helps ensure the availability and reliability of our systems.
Automated testing that generates significant traffic: We strongly discourage the use of automated testing techniques that generate excessive amounts of traffic, as this can disrupt the normal functioning of our platform. Please exercise caution and moderation during your testing activities.
Public disclosure of unpatched vulnerabilities: It is important to maintain responsible disclosure practices to protect the security and privacy of our users. Therefore, we request that you refrain from publicly disclosing any vulnerabilities before they have been patched or without our explicit consent.
Attacks that the reporter has already exploited: To maintain the ethical nature of our program, we do not reward vulnerabilities that have already been exploited by the reporter, resulting in any form of irreversible damage.
Sybil attacks: Activities involving Sybil attacks, which involve the creation of multiple identities to manipulate the system, are not within the scope of our bug bounty program.
Miner-extractable value (MEV): Vulnerabilities related to miner-extractable value, which pertains to the ability of miners to manipulate transactions or block order to their advantage, are not eligible for rewards.
Non-exploitable re-entrancy (no state change) or non-exploitable defects: Vulnerabilities that are deemed non-exploitable, such as re-entrancy attacks without any resulting state change or other non-exploitable defects, are not considered eligible for rewards.
The following assets are in-scope for this program.
goneuron.xyz
Any assets not explicitly stated are out of scope.
High
$5000+
Direct theft of user or operator funds
Permanent freezing of user or operator funds
We do not set a maximum reward guide for high severity vulnerabilities but limit it to 10% of the economic impact.
Medium
$100 - $1000
Temporary freezing of user or operator funds
Denial of service (smart contract is made unable to operate)
Access control is bypassed, including privilege escalation
Low
$50
Denial of Operator interaction with smart contracts