Bug Bounties
Receive AQUA for helping us squash bugs.
Part of constantly growing Aquarius is ensuring the protocol is operational, reliable, and consistently performing to the highest standards. Now and then, a coding bug or loophole can cause issues, creating vulnerabilities to the Aquarius protocol.
Aquarius offers bug bounties to those who find and raise vulnerabilities with the team, allowing fix deployments that safeguard Aquarius.
The bug bounty fund is tied to the 2.5 Billion AQUA emergency fund.
What bugs can result in rewards?
Reward considerations apply to most bugs found that can negatively impact Aquarius. Bounties are paid at the teams sole discretion, with reward values dependant on an issues severity and complexity.
While we can consider a lot of different issues for a bounty, the following points would not come under our scope:
- Bugs found in third-party platforms that interact with Aquarius
- Vulnerabilities already reported or discovered by the team or advisors
- Any already-reported bugs by others in the community
Vulnerabilities that occur due to any of the following are also outside of the bug bounties scope:
- Front end bugs
- DDOS attacks
- Spamming
- Phishing
- Compromise or misuse of third-party systems or services.
How should I report potential bugs?
Any vulnerability or bug discovered should be reported via private message to any of the admins of the Telegram, Discord, or Reddit channels or our bug reporting email address security@aqua.network.
Disclosure of vulnerabilities must not be made public or to any persons, entities, or email addresses before Aquarius has been notified and a fix deployed. Bug disclosures should preferably be made within 24 hours of discovery. Once fixed, Aquarius will grant permission for public disclosure.
When submitting a report, please provide as much detailed information about the vulnerability. Higher quality and more detailed vulnerability reports increase the chance of a reward.
Points to consider in your report are:
- What conditions cause the bug to occur
- All steps needed to replicate the bug and if possible a demo video/screenshots showcasing the bug
- Explanation of potential effects if the vulnerability is abused
Those who report bugs and vulnerabilities that result in a fix deployment by the Aquarius team can choose to be publicly recognized if they wish.
Eligibility
To be eligible for an Aquarius bug bounty reward, you must:
- Be of legal age in the jurisdiction where you reside or, if younger, submit your vulnerability with parental or guardian consent.
- Be first to discover and disclose a previously unreported, non-public vulnerability that could result in abuse or compromization of the Aquarius protocol to the Aquarius team in compliance with the above disclosure requirements.
(If multiple users report similar vulnerabilities within 24 hours, rewards will be split at the discretion of Aquarius.)
- Provide sufficient information so our developers can reproduce and fix the vulnerability.
- Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
- Not submit separate underlying vulnerabilities caused by a known issue already considered for a bug bounty.
- Do not engage in unlawful conduct when disclosing the bug to Aquarius, including through threats, demands, or other coercive tactics.
- Not exploit the vulnerability in any way, including making it public or obtaining a profit (other than a payment from the Auqarius bug bounty program).
- Make a reasonable faith effort to avoid privacy violations, data destruction, interruption, or degradation of the Aquarius protocol.
- Not be subject to US/EU sanctions or reside in a US/EU-embargoed country.
- Not be a current or former employee (within 6 months), vendor, contractor, agent, or former employee (within 6 months) of any of those vendors, contractors, or agents.
- Comply with all the Aquairus bug bounty eligibility requirements.
Other Terms
By submitting a report, you grant Aquarius all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions are made at our sole discretion, including eligibility, reward amounts, and how such rewards will be paid.
Aquarius may alter the terms and conditions of this program at any time.
