Bug Bounty Terms & Conditions
Version effective: 2026-07-10
By submitting a vulnerability report you agree to the following
terms. Read them carefully before proceeding.
Eligibility
-
You must be at least 18 years old and not a resident of a
jurisdiction subject to applicable sanctions.
-
Current and former employees, contractors, and their immediate
family members are not eligible.
-
You must not have exploited the vulnerability beyond the minimum
necessary to confirm its existence.
Responsible Disclosure
-
Do not publicly disclose the vulnerability or related details
until remediation is confirmed or 90 days have elapsed, whichever
comes first.
-
Give us reasonable time to investigate and remediate before
involving a third party.
-
Do not access, modify, or delete data belonging to other users.
Submission Requirements
-
Each report must describe a single, distinct vulnerability and
include clear reproduction steps.
-
The 1 SOL submission fee is non-refundable,
including for duplicate, out-of-scope, or invalid reports.
Awards
-
Award decisions are discretionary and based on severity, impact,
and report quality.
- Duplicate reports are not eligible.
-
Awards use the submitted Solana wallet; incorrect addresses are
the reporter's responsibility.
-
KYC verification is required before payment.
Prohibited Conduct
-
Automated scanning, fuzzing, denial-of-service testing, social
engineering, phishing, and physical attacks are prohibited.
-
Submission does not authorise testing beyond what was necessary to
identify the reported vulnerability.
Legal
-
Comply with applicable laws. We will not pursue researchers acting
in good faith under these terms.
-
These terms do not create an employment, partnership, or agency
relationship.
-
We may modify these terms; the version in effect at submission
governs the report.