DINNGO engineers have made every effort to ensure that our platform and users are 100% safe and sound. To help us maintain the highest standard for the security, we are launching the DINNGO Exchange Bug Bounty Program.
This program is intended to work with independent security researchers across the globe and set out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return. Should you encounter a security vulnerability in one of our products, we want to hear from you.
The bug bounty program is to reward community members for discovering and reporting bugs. The scope of the bounty will be limited to https://exchange.dinngo.co/#/ and https://github.com/Dinngo/dinngo-exchange and the contracts they inherit from.
DINNGO reserves the right to modify or cancel the DINNGO Bug Program at DINNGO’s sole discretion and at any time.
The value of rewards will vary depending on severity as judged by the DINNGO team. The severity of a bug is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:
- Note: Up to $100 USD
- Low: Up to $500 USD
- Medium: Up to $1,000 USD
- High: Up to $2,500 USD
- Critical: Up to $5,000 USD
DINNGO determines the eligibility of vulnerability, scores and whether a reward is granted at its sole and own discretion. A granted reward for Critical bug will be paid in ETH and the rest (Note/Low/Medium/High bug) will be paid in DGO.
First Reporter Rule
Rewards for a specific vulnerability go to the first reporter. We will review duplicate bugs to see if they provide additional information, but otherwise a subsequent bug report reporting the same or similar vulnerability will not be eligible for a reward (first come first serve principle).
- Do not violate the privacy or any rights of DINNGO’s users or support third parties with such actions.
- Do not destroy or alter discovered data.
- Do not disrupt or compromise our services.
- You must not use, attempt or be involved in any kind of (1) spam (2) social engineering techniques, including SPF and DKIM issues (3) distributed denial of service (DDOS) attacks (4) attacking any kind of physical security measures.
- You must provide us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
- Non-security issues (style issues, gas optimizations) are not eligible.
- Sharing any information of the vulnerability to any third party is prohibited.
Any breaking or neglecting of these rules will be a violation of the DINNGO Bug Bounty Program.
Report a Bug
- Submit your bug report at the link here https://go.dinngo.co/2YxhZ3y
- Please limit each submission to one issue.
- In your bug report, please make sure to include steps to reproduce the issue and attach any necessary information, such as screenshots and logs.
- Try to include as much information as you can in the report, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept.
- Your ETH address for payment should also be provided in the report.
- Please allow five (5) business days for us to respond before sending another report or email.