Bug Bounty Program

Introduction

The Vision.io Bug Bounty Program is designed to encourage and reward members of the Web3 community for contributing to the security of our platform. This program is subject to change and may be cancelled at any time. Participation is subject to legal restrictions.

Rules and Rewards

Eligibility

Only issues not already known to the Vision team or previously reported by another user are eligible.
Public disclosure of a vulnerability, including exploitation on any public network, disqualifies it from a bounty.
The Vision team, ENS Vision PTE LTD employees, and those paid by ENS Vision PTE LTD are ineligible.
Only specific smart contracts are eligible. Issues in websites, UI/UX, or other infrastructure are excluded.

Exclusions

No bounties will be issued for:

UI/UX/Interface Issues: This includes cosmetic defects, layout issues, color scheme preferences, font styles, and other graphical elements that do not impact the security or functionality of the platform.
User Errors: Loss of money or functionality due to user mistakes, misunderstanding of features, or incorrect usage of the platform.
Network Failures: Issues arising from external network problems, including but not limited to ISP issues, DNS errors, or general internet connectivity problems.
Typos and Misspellings: Mistyped words, grammatical errors, or misspellings in any part of our website or documentation. While we appreciate corrections, they do not qualify for a bug bounty reward.
Non-Security Functional Issues: Reports of broken links, unresponsive buttons, or similar functional issues that do not pose a security risk.
Performance Complaints: General feedback about the platform's performance, speed, or efficiency that does not relate to a specific security vulnerability.
Duplicate Reports: Issues that have already been reported by someone else or are already known to the Vision team.

Reward Determination

Rewards vary by the severity of the vulnerability, based on the OWASP risk rating model.

The Vision team has sole discretion in determining eligibility, score, and reward size.

Critical: $ 500 - $ 1000 USD
High: $ 200 - $ 500 USD
Medium: up to $ 200 USD
Low: up to $ 150 USD
Note: up to $ 100 USD

For Example - this could mean: low = informational but important (API keys or API abuse etc.) medium = DoS where a part of our site could be broken critical = loss of funds / potentially XSS on a wallet-enabled page etc.

Considerations for Rewards

Quality of description: Clear, well-written submissions are preferred.
Reproducibility: Include test code, scripts, and detailed instructions.
Proposed fixes: Submissions with a clear fix description are valued higher.

Important Legal Information

The program is discretionary and not a competition.
We cannot issue awards to individuals in or from sanctioned countries (e.g., North Korea, Iran).
Participants are responsible for all taxes.
Any submitted patches must adhere to the repository's license.
Your testing must be lawful and not compromise any data not owned by you.

Evaluation by Chief Security Officer

All bug bounty submissions will be thoroughly reviewed and valued by our Chief Security Officer, . The decision of the CSO will be final in determining the eligibility and reward for each submission.

Submitting a Bug

Report bugs via our Help Portal:

PreviousAfternic NextDisclaimer

Last updated 5 months ago

Was this helpful?