As an open-source, on-chain protocol, Hedgey is able to benefit from a skilled community for testing and debugging our smart contracts. As we launch the Alpha of Hedgey, we aim to create a structured bug bounty program to reward security engineers who help make Hedgey safe. We do this in addition to a series of professional audits being conducted on this Alpha.
The program is limited to the vulnerabilities in smart contracts utilized by the Hedgey Alpha:
Though all vulnerabilities will be considered. The primary focus of this program is around securing the use of the Hedgey Smart Contracts. All other bugs and vulnerabilities will be considered less severe. All previously reported bugs, bugs found by third parties, and bugs not impacting the security of the platform will not be considered for this program. While other vulnerabilities such as DDOS, Spamming, automated tools, misusing third-party systems will be considered if they do not impact the direct security of the Hedgey Smart contract they will be considered less severe or ineligible at the discretion of Hedgey.
Severity of bugs will be assessed under the CVSS Risk Rating scale, as follows: - Critical (9.0-10.0): Up to $5,000USD $PAR - High (7.0-8.9): Up to $2,500USD $PAR - Medium (4.0-6.9): Up to $500USD $PAR - Low (0.1-3.9): Up to $500USD $PAR
In addition to assessing severity, factors such as impact of discovered vulnerability as well as level of difficulty in discovering vulnerability will be considered.
Any vulnerability or bug discovered must be reported only to [email protected], must not be disclosed publicly, must not be disclosed to any other person, entity, or email address prior to disclosure to [email protected], and must not be disclosed in any way other than to [email protected] In addition, disclosure to [email protected] must be made promptly following the vulnerability. Please include as much information as possible including the conditions on which reproducing the bug are contingent, the steps needed to reproduce the bug and proof of concept, as well as potential implications of the vulnerability being abused.
To be eligible for reward under this program, you must discover a previously unreported, non-public vulnerability that would result in a loss of or lock on any Erc20 token on Hedgey (but not on other third party platform interacting with Hedgey) that is within the scope of the program. Further, you must be the first to disclose the unique vulnerability to [email protected] in compliance with the disclosure requirements, provide sufficient information to enable us to reproduce the vulnerability, not engage in any unlawful conduct when disclosing the bug, including threats, demands, or any other coercive tactics, nor exploit the vulnerability in any way, including through making it public or by obtaining profit. You must make a good faith effort to avoid privacy violations, submit only one vulnerability per submission (unless its a chain of vulnerabilities). You must be at least 18 years of age, not be subject to US sanctions or reside in a US embargoed country.
All reward decisions including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion. The terms and conditions of this program may be altered at any time. GITHUB