Sign up to app.auditone.io. Complete KYC and qualify for the exam, if required.

Any white hat hacker that follows the General rules and regulations and adheres to the Code of Conduct is eligible to participate. Some projects require hackers to have completed a KYC to participate.

You must sign up to the AuditOne platform to be able to submit reports.

You must not be on any sanctions lists or reside in countries on sanctions lists (e.g., North Korea, Iran, etc.).

Open our app and navigate to the section ‘submit report’. You will find it in the bug bounty tab.

Good vulnerability submission should have a detailed explanation of how one can exploit and impact on smart contracts. Steps to reproduce to validate the vulnerability and proof of concept, Recommendations to fix is a good submission.

On submission, there will be two reviews - one by AuditOne and the next by the project. If both the reviews are cleared, and the project fixes the issue. The bounty will be released.

No. Auditors are not allowed to disclose bugs in public at any point in time until Auditone or Project publishes it to the community. Publicly disclosing a vulnerability before it's resolved makes it ineligible for a bounty.

Sometimes, reviews may take additional time due to the unavailability of a concerned person at AuditOne or Project. You can DM us on Discord (@adrien_re) or check the current status of the review on the AuditOne platform. Our triage team takes higher priority for Critical and High over Low issues.

No. You may not be eligible for the bounty if you contact the project directly. As per our agreement with the projects, all submissions about bugs in the bug bounty scope must be submitted through the AuditOne platform.

No. You must submit a new report.