Security is a top priority for SaucerSwap. To encourage responsible disclosure of vulnerabilities, we offer a Bug Bounty Program with financial rewards based on the severity of the identified issues.

Scope

The following are not within the scope of the program:

  • SaucerSwap mainnet contracts and production environment (testing restricted to testnet, which mirrors mainnet)

  • Third-party contracts not directly associated with SaucerSwap

  • Known issues from previous audit and bug bounty reports

  • Third-party applications using SaucerSwap contracts

  • Any findings that rely on Denial of Service (DoS) or Distributed Denial of Service (DDoS)

Rewards

The program includes the following four-level severity scale, based on the OWASP risk rating methodology.

  • Critical: Issues that could impact numerous users and have serious reputational, legal, or financial implications. An example would be being able to lock contracts permanently or take funds from all users.

  • High: Issues that impact individual users where exploitation would pose reputational, legal, or moderate financial risk to the user.

  • Medium: The risk is relatively small and does not pose a threat to user funds.

  • Informational: The issue does not pose an immediate risk but is relevant to security best practices.

SaucerSwap Labs will determine rewards based on the bugโ€™s severity and its potential for exploitation. Rewards may be disbursed in U.S. dollars, cryptocurrency, or a mix of both.

Disclosure

Report vulnerabilities to [email protected]. An acknowledgment will be sent within two to three business days. Do not disclose the bug publicly until it is resolved and permitted by SaucerSwap Labs.

A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:

  • Conditions required for reproducing the bug

  • Step-by-step guide or proof of concept for reproduction

  • Potential consequences if exploited

  • Suggested remediation (optional)

Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be financially rewarded.

Eligibility

To be eligible for a reward under this program, you must meet the following conditions:

  1. Uniqueness: Discover a previously unreported, non-public vulnerability that is not already known to our team and is within the scope of the program.

  2. First Disclosure: Be the first to disclose the unique vulnerability to [email protected], and adhere to the programโ€™s disclosure requirements.

  3. Detailed Reporting: Provide comprehensive information that enables our engineers to reproduce and remedy the vulnerability.

  4. Non-Exploitation: Do not exploit the vulnerability in any form, including publicizing it or seeking other forms of profit, except under this program.

  5. Non-Publicization: Do not disclose the vulnerability to the public or any third party without our explicit approval.

  6. Ethical Conduct: Make a good faith effort to prevent privacy violations, data destruction, service interruption, or any degradation of in-scope assets.

  7. Lawful Behavior: Do not engage in any unlawful conduct during the disclosure process, such as making threats or demands.

  8. Age Requirement: Must be at least 18 years of age. If younger, you may participate with the consent of a parent or guardian.

  9. Legal Compliance: Cannot be subject to U.S. sanctions or reside in a U.S.-embargoed country.

  10. Non-Affiliation: Cannot be a current or former employee, vendor, or contractor who contributed to the development of the affected code.

  11. Complete Compliance: Must comply with all other eligibility requirements specified in this program.

By meeting these criteria, you become eligible for a reward under the SaucerSwap Bug Bounty Program.

Other Terms

By submitting a report, you grant SaucerSwap Labs the rights necessary to validate and resolve the vulnerability. All reward decisions are at our sole discretion. The programโ€™s terms may be changed at any time.