Scope
- SaucerSwap testnet contracts and GitHub repositories
- SaucerSwap testnet interface
- SaucerSwap mainnet contracts and production environment (testing restricted to testnet, which mirrors mainnet)
- Third-party contracts not directly associated with SaucerSwap
- Known issues from previous audit and bug bounty reports
- Third-party applications using SaucerSwap contracts
- Any findings that rely on Denial of Service (DoS) or Distributed Denial of Service (DDoS)
Rewards
The program includes the following four-level severity scale, based on the OWASP risk rating methodology.- Critical: Issues that could impact numerous users and have serious reputational, legal, or financial implications. An example would be being able to lock contracts permanently or take funds from all users.
- High: Issues that impact individual users where exploitation would pose reputational, legal, or moderate financial risk to the user.
- Medium: The risk is relatively small and does not pose a threat to user funds.
- Informational: The issue does not pose an immediate risk but is relevant to security best practices.
Disclosure
Report vulnerabilities to [email protected]. An acknowledgment will be sent within two to three business days. Do not disclose the bug publicly until it is resolved and permitted by SaucerSwap Labs. A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:- Conditions required for reproducing the bug
- Step-by-step guide or proof of concept for reproduction
- Potential consequences if exploited
- Suggested remediation (optional)
Eligibility
To be eligible for a reward under this program, you must meet the following conditions:- Uniqueness: Discover a previously unreported, non-public vulnerability that is not already known to our team and is within the scope of the program.
- First Disclosure: Be the first to disclose the unique vulnerability to [email protected], and adhere to the programโs disclosure requirements.
- Detailed Reporting: Provide comprehensive information that enables our engineers to reproduce and remedy the vulnerability.
- Non-Exploitation: Do not exploit the vulnerability in any form, including publicizing it or seeking other forms of profit, except under this program.
- Non-Publicization: Do not disclose the vulnerability to the public or any third party without our explicit approval.
- Ethical Conduct: Make a good faith effort to prevent privacy violations, data destruction, service interruption, or any degradation of in-scope assets.
- Lawful Behavior: Do not engage in any unlawful conduct during the disclosure process, such as making threats or demands.
- Age Requirement: Must be at least 18 years of age. If younger, you may participate with the consent of a parent or guardian.
- Legal Compliance: Cannot be subject to U.S. sanctions or reside in a U.S.-embargoed country.
- Non-Affiliation: Cannot be a current or former employee, vendor, or contractor who contributed to the development of the affected code.
- Complete Compliance: Must comply with all other eligibility requirements specified in this program.