search

Bug Bounty Q&A

The following questions will help you understand our service offering. If you cannot find an answer to your question, please contact us at [email protected].

hashtag
Background Information.

chevron-rightPlease can you share an overview of you and your bug bounty program?hashtag

AuditOne is a decentralized community of 400+ white hat hackers/auditors who would be offered a bounty for identified bugs/vulnerabilities.

hashtag
Bounty Location

chevron-rightPlease can you share the URL where the bounties will be posted?hashtag

https://www.auditone.io/bug-bountyarrow-up-right

hashtag
Coverage & Scope

chevron-rightPlease can you detail what kind of coverage, scope, bugs, or potential exploits you think we should include as an L1/L2? Do you have detailed definitions for these that we could use?hashtag

- Stealing or loss of funds

- Unauthorized transaction

- Transaction manipulation

- Price manipulation

- Fee payment bypass

- Balance manipulation

- Contracts execution flows

- Consensus flaws

- Peer-to-peer network flaws

- Cryptographic flaws

hashtag
Recommended Bounties

chevron-rightPlease could you outline your recommendation on how we would structure the bounties? E.g. how are severities defined, and how do we define which bugs deserve what level of payout?hashtag

We usually advise that a critical bug bounty should be up to 10% of the TVL (as all could be stolen/controlled in this case).

Low issues could be just a few k while medium could be something in the range of 5-20k.

hashtag
Commercials

chevron-rightIs there an upfront fee? hashtag

No.

chevron-rightAny ongoing maintenance fees?hashtag

No.

chevron-rightAny fees for % of bounties paid out?hashtag

Only a 5% fee on payout (and paid by the auditor from the bug bounty reward). No other fees.

hashtag
Bug Validation, Reporting & Screening

chevron-rightWhat’s the process for validating whether a bug is real and/or true?hashtag

We screen them initially. If they are no spam, alerts will be sent to assigned devs on your side. We can also assess and triage them, but this would cost on a monthly base TBD.

chevron-rightCan you please describe how bugs would be reported to us and/or screened by you (if relevant)?hashtag

We screen them initially. If they are no spam, alerts will be sent to assigned devs on your side. We can also assess and triage them, but this would cost on a monthly base TBD.

chevron-rightWhat happens in case a highly critical / zero day/crisis level bug is discovered and requires urgent attention? Do you have resources in place to quickly escalate this and report this to us for swift resolution?hashtag

We exchange personal contact details with lead devs. Furthermore, we have real-time alert systems in place for email & TG contact.

chevron-rightHow are reports kept confidential so they cannot be exploited by others?hashtag

We have a proper user management system in our app, and we can share reports only within trusted systems.

hashtag
Legal & Arbitration

chevron-rightPlease can you describe the process for how the bug bounty program would be legally structured?hashtag

For the beginning it just on paper and you will pay them directly.

chevron-rightWhat if there’s a dispute? How would this work?hashtag

In terms of arbitration, there will be a committee of 5 members, 2 from AuditOne, 2 from your team, and 1 from Kleros.io.

chevron-rightWhere is your entity domiciled that we would engage with?hashtag

Germany.

chevron-rightHow do you structure things legally with the white hat hackers?hashtag

They agree to the T&C on our platform.

hashtag
Payouts

chevron-rightCan you describe how payouts would be handled?hashtag

It could be paid to an escrow at AuditOne or by you.

chevron-rightIs this in USD and/or stablecoin? Would it be in tokens rebased to USD value?hashtag

The most attractive way to offer bounties is by using stable-coins. It is also fine to use tokens according to pre-defined USD values.

chevron-rightDo you require any funds to be placed in escrow?hashtag

We are developing coverage and escrow pools that can or will be used at a later stage. For now this is not required.

chevron-rightDo you pay the bounty or do we? If so, how is KYC handled?hashtag

We do KYC with the auditors / bounty hunters. How the payment process is handled, can be customized to your needs.

hashtag
Ecosystem, Reach & Credentials

chevron-rightPlease can you describe your ecosystem? E.g., how many active white hat hackers do you have? How experienced are they?hashtag

More than 380 auditors (300+ proficient in Solidity, 50+ proficient in Rust, many pen-testers or from traditional security backgrounds).

chevron-rightHow many bounties have you posted and/or paid out in the past? What’s the monetary value of this?hashtag

We are in discussions with a few others, but it takes some time to agree on terms. Our bug bounty feature was just recently developed, and legal contracts were drafted. It is your chance to be one of the first bounties, and therefore, outstanding will be much easier.

hashtag
Differentiation

chevron-rightHow do you differentiate from the other bug bounty providers?hashtag

Decentralized, real-time alerts to the communication channels of your choice, largest auditor community.

PreviousGeneral rules and regulationsNextCode of Conduct

Last updated