Reporting, Rules & Rewards
The bug must not be disclosed publicly or to any other person/entity before Bonfida has been notified, has rectified the issue and the user has been granted permission for public disclosure.
Reports have to be made within 24 hours following the discovery of the vulnerability. If these conditions are not met, the user’s rewards will be embargoed.
All bug reports should come with a detailed proof of concept. High-quality proof of concepts plays a role in the number of rewards distributed.
High-quality reports include:
- 1.The conditions on which to reproduce the bug are contingent. Higher rewards are considered for clear well-written submissions.
- 2.The steps needed to reproduce the bug. This comprises but is not limited to; test codes, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability the greater the probability of a decent reward.
- 3.The potential implication of the vulnerability being abused. Moreover, if users provide a quality fix, that is, a clear description of how to fix the bug they will also be considered for higher rewards.
Submit only one vulnerability per report, unless it is needed to provide a chain of vulnerabilities to describe the impact.
Already submitted issues and issues known by the team are not eligible for bounty rewards. Users will only receive a bounty if they were the first to disclose the bug on Telegram.
Once again, if the bug was publicly disclosed, the user will be ineligible for the bounty. Equally, if the user exploited the vulnerability in any way (i.e. trying to make a profit from it) before reporting it, no rewards will be granted.
Users will not be entitled to a bounty when engaging in unlawful conduct as threats, demands, or any other coercive tactics.
Lastly, users are not allowed to be subjects of sanctioned geographical areas:
Belarus, the Central African Republic, the Democratic Republic of Congo, the Democratic People’s Republic of Korea, the Crimea region of Ukraine, Cuba, Iran, Libya, Somalia, Sudan, South Sudan, Syria, Thailand, the USA, Yemen and Zimbabwe.
Rewards are determined by several variables and these will be evaluated and rewarded at the discretion of the Bonfida team. The number of rewards paid out is dependent on the severity, value at risk, quality of report and the likelihood of the bug being exploited.
Bounty payouts will be in the form of $FIDA.
The severity is classified based on:
Direct and immediate risk to a broad array of users implicating a loss of funds, possibly through corrupted account data and making recovery very difficult or impossible.
Attackers can modify limited amounts of data or behaviors they are not authorized to access. Generally, more narrow scope than high severity issues when judged against broadness of impact or ease of exploitation. This includes corruption of the program state resulting in a minority of users being affected financially.
Attackers may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended and irreversible behavior. This includes state corruption resulting in a temporary halt of program functioning.
Reward sizes are guided by the rules outlined in the Reporting section, but are in the end, determined at the sole discretion of the Bonfida team. The Bonfida team reserves the right to adjust bounty amounts at any time in the future:
- Critical: from 50,000 to 250,000 $FIDA
- High: up to 10,000 to 25,000 $FIDA
- Medium: up to 5,000 $FIDA
Bounty amounts < 10,000 $FIDA will be a fully unlocked payment.
Any bounty > 10,000 $FIDA would realize a 10% initial payment to the user. The rest of the bounty will be locked for 6 months and after that, it will start linearly unlocking for a 1-year period.
By submitting your report, you grant Bonfida any and all rights, including intellectual property rights needed to validate, mitigate and disclose the vulnerability.
The bug bounty program is a discretionary rewards program for the Bonfida community to encourage and reward those who are helping to improve the platform.
However, this is definitely not a competition. Users should be aware that Bonfida can alter and/or cancel the program and terms and conditions at any time.