Terms & Conditions

Bug Bounty Program — please read before submitting a report.

Bug Bounty Terms & Conditions

Version effective: 2026-07-10

By submitting a vulnerability report you agree to the following terms. Read them carefully before proceeding.

Eligibility

  • You must be at least 18 years old and not a resident of a jurisdiction subject to applicable sanctions.
  • Current and former employees, contractors, and their immediate family members are not eligible.
  • You must not have exploited the vulnerability beyond the minimum necessary to confirm its existence.

Responsible Disclosure

  • Do not publicly disclose the vulnerability or related details until remediation is confirmed or 90 days have elapsed, whichever comes first.
  • Give us reasonable time to investigate and remediate before involving a third party.
  • Do not access, modify, or delete data belonging to other users.

Submission Requirements

  • Each report must describe a single, distinct vulnerability and include clear reproduction steps.
  • The 1 SOL submission fee is non-refundable, including for duplicate, out-of-scope, or invalid reports.

Awards

  • Award decisions are discretionary and based on severity, impact, and report quality.
  • Duplicate reports are not eligible.
  • Awards use the submitted Solana wallet; incorrect addresses are the reporter's responsibility.
  • KYC verification is required before payment.

Prohibited Conduct

  • Automated scanning, fuzzing, denial-of-service testing, social engineering, phishing, and physical attacks are prohibited.
  • Submission does not authorise testing beyond what was necessary to identify the reported vulnerability.

Legal

  • Comply with applicable laws. We will not pursue researchers acting in good faith under these terms.
  • These terms do not create an employment, partnership, or agency relationship.
  • We may modify these terms; the version in effect at submission governs the report.