Security is a top priority for SaucerSwap. To encourage responsible disclosure of vulnerabilities, we offer a Bug Bounty Program with financial rewards based on the severity of the identified issues.

โ€‹
Scope

The following are not within the scope of the program:
  • SaucerSwap mainnet contracts and production environment (testing restricted to testnet, which mirrors mainnet)
  • Third-party contracts not directly associated with SaucerSwap
  • Known issues from previous audit and bug bounty reports
  • Third-party applications using SaucerSwap contracts
  • Any findings that rely on Denial of Service (DoS) or Distributed Denial of Service (DDoS)

โ€‹
Rewards

The program includes the following four-level severity scale, based on the OWASP risk rating methodology.
  • Critical: Issues that could impact numerous users and have serious reputational, legal, or financial implications. An example would be being able to lock contracts permanently or take funds from all users.
  • High: Issues that impact individual users where exploitation would pose reputational, legal, or moderate financial risk to the user.
  • Medium: The risk is relatively small and does not pose a threat to user funds.
  • Informational: The issue does not pose an immediate risk but is relevant to security best practices.
SaucerSwap Labs will determine rewards based on the bugโ€™s severity and its potential for exploitation. Rewards may be disbursed in U.S. dollars, cryptocurrency, or a mix of both.

โ€‹
Disclosure

Report vulnerabilities to [email protected]. An acknowledgment will be sent within two to three business days. Do not disclose the bug publicly until it is resolved and permitted by SaucerSwap Labs. A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:
  • Conditions required for reproducing the bug
  • Step-by-step guide or proof of concept for reproduction
  • Potential consequences if exploited
  • Suggested remediation (optional)
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be financially rewarded.

โ€‹
Eligibility

To be eligible for a reward under this program, you must meet the following conditions:
  1. Uniqueness: Discover a previously unreported, non-public vulnerability that is not already known to our team and is within the scope of the program.
  2. First Disclosure: Be the first to disclose the unique vulnerability to [email protected], and adhere to the programโ€™s disclosure requirements.
  3. Detailed Reporting: Provide comprehensive information that enables our engineers to reproduce and remedy the vulnerability.
  4. Non-Exploitation: Do not exploit the vulnerability in any form, including publicizing it or seeking other forms of profit, except under this program.
  5. Non-Publicization: Do not disclose the vulnerability to the public or any third party without our explicit approval.
  6. Ethical Conduct: Make a good faith effort to prevent privacy violations, data destruction, service interruption, or any degradation of in-scope assets.
  7. Lawful Behavior: Do not engage in any unlawful conduct during the disclosure process, such as making threats or demands.
  8. Age Requirement: Must be at least 18 years of age. If younger, you may participate with the consent of a parent or guardian.
  9. Legal Compliance: Cannot be subject to U.S. sanctions or reside in a U.S.-embargoed country.
  10. Non-Affiliation: Cannot be a current or former employee, vendor, or contractor who contributed to the development of the affected code.
  11. Complete Compliance: Must comply with all other eligibility requirements specified in this program.
By meeting these criteria, you become eligible for a reward under the SaucerSwap Bug Bounty Program.

โ€‹
Other Terms

By submitting a report, you grant SaucerSwap Labs the rights necessary to validate and resolve the vulnerability. All reward decisions are at our sole discretion. The programโ€™s terms may be changed at any time.