We are committed to ensuring that the security of our data and systems is paramount and invite security researchers to assist in the ongoing development of strong security practices.
The following areas are within the scope of our Bug Bounty program:
- Boson Protocol website
- All Boson Protocol GitHub repositories
The following areas are excluded from the scope of our bug bounty program:
- DoS/DDoS
- Phishing/CEO Fraud
- Social Engineering
- Services or applications hosted by third-party providers
- DNS
- Findings from any application belonging to Boson Protocol that is not listed in the “In Scope” section above
- Spelling mistakes or UI/UX errors
- Issues that are already known, have been submitted, or are pending review will not be considered
- The vulnerability must be unused (not exploited by you or an affiliate) & not made publicly known. The issues must remain confidential between the security researcher and Boson Protocol for a minimum of 90 days to provide time for us to fix the issue
- Use the appropriate communication channels to submit your report
Your report will be assessed by our Tech Team and scored using the Common Vulnerability Scoring System (CVSS). Rewards range from 100DAI to 5000DAI depending on the outcome of the CVSS score.
If you think you have found a vulnerability, please submit a full report that should include:
- Full description and information of what has been found, including potential impact
- Proof of concept scripts
- Supporting screenshots or screen captures
The above should be sent to security@bosonprotocol.io and we will respond with initial outcome confirmation within 72 hours.
DO NOT FILE A PUBLIC ISSUE OR PULL REQUEST IF THERE ARE SECURITY CONCERNS.
If a public issue or pull request is filed before a vulnerability report to security@bosonprotocol.io, no reward will be posted.