Disclosure must be made privately directly to the PowerPool team (e.g. by emailing to [email protected])
The bug must not be exploited by the discloser except possibly for negligible amounts (and only if this is required to demonstrate the exploit)
The discloser must not reveal the exploit to anybody except the PowerPool team until the PowerPool team have addressed the exploit.
All disclosures must include detailed steps on how to perform the exploit.
Only the first discloser of a particular bug is eligible for a reward, although the PowerPool team may reward subsequent disclosures if they either provide additional information above the first report, or the bug is particularly severe, at the PowerPool team’s discretion.
Rewards for responsible disclosure
Exploits are divided into categories at the PowerPool team’s discretion.
Exploit with minimal real impact, e.g. cosmetic issues. 50 - 250 CVP
Minor impact, e.g. exploits affecting functionality of the products, ability to vote, withdraw, etc. 250 - 1,000 CVP
Exploits which can be used to access or take money that a user is not entitled to, e.g. exploits which can be used to mint additional tokens without providing the requisite inputs. 1,000 - 10,000 CVP
Critical exploits, e.g. the recent bug that in one of our smart contracts. 10,000 - 50,000 CVP[*]
Bug bounty rewards are not vested owing to their importance.