Goldfinch Community Announces $500k Bug Bounty Program, through Immunefi

Summary

In line with Goldfinch communities’ focus on security, the protocol has partnered with Immunefi to run a $500k bug bounty program. The program begins immediately, and will run continuously. The purpose is to maintain the highest levels of security by giving a substantial monetary incentive for good faith hackers and security researchers to responsibly disclose bugs that could put user funds at risk.

This program is in addition to multiple formal audits that have been done, and will continue to be done on our open source code.

How does it work?

It’s very easy. Sign up with Immunefi, and start looking through our contracts! If you find vulnerabilities, report them through Immunefi.

Rewards

Rewards will be given up to a maximum of $500k for critical bugs that would lead to loss of funds. Payouts for critical bugs are capped at 10% of the potential economic damage, but will have a minimum payout of $20k.

There are also rewards for high and medium severity bugs. See the full rules for details

Scope

The primary scope of the bug bounty program is for vulnerabilities affecting the latest version of the on-chain Goldfinch Protocol, deployed to the Ethereum Mainnet, for contract addresses listed in the full rules.

This list may change as new contracts are deployed, or as existing contracts are removed from usage. Vulnerabilities in contracts built on top of Goldfinch by third-party developers (such as smart contract wallets) are not in-scope, nor are vulnerabilities that require ownership of an admin key.

The secondary scope of the bug bounty program is for vulnerabilities affecting the Goldfinch Interface hosted at app.goldfinch.finance that could conceivably result in exploitation of user accounts, or loss of funds.

Finally, test contracts (Rinkeby and other testnets) and staging servers are out of scope, unless the discovered vulnerability also affects the Goldfinch Protocol or Interface, or could otherwise be exploited in a way that risks user funds.

Terms and Conditions

To be eligible for bug bounty reward consideration, you must:

• Identify an original, previously unreported, non-public vulnerability within the scope of the Goldfinch bug bounty program as described above.
• Include sufficient detail in your disclosure to enable our engineers to quickly reproduce, understand, and fix the vulnerability.
• Be at least 18 years of age.
• Be reporting in an individual capacity, or if employed by a company, reporting with the company’s written approval to submit a disclosure to Goldfinch.
• Not be subject to US sanctions or reside in a US-embargoed country.
• Not be a current or former Goldfinch employee, vendor, contractor, or employee of a Goldfinch vendor or contractor.

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we require that you:

• Play by the rules, including following the terms and conditions of this program and any other relevant agreements. If there is any inconsistency between this program and any other relevant agreements, the terms of this program will prevail.
• Report any vulnerability you’ve discovered promptly.
• Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience.
• Use only Immunefi to discuss vulnerabilities with us.
• Keep the details of any discovered vulnerabilities confidential until they are fixed.
• Only interact with accounts you own or with explicit permission from the account holder.
• Not engage in blackmail, extortion, or any other unlawful conduct.

When working with us according to this program, you can expect us to:

• Pay generous rewards for eligible discoveries based on the severity and exploitability of the discovery, at Goldfinch’s sole discretion
• Extend Safe Harbor for your vulnerability research that is related to this program, meaning we will not threaten or bring any legal action against anyone who makes a good faith effort to comply with our bug bounty program.
• Work with you to understand and validate your report, including a timely initial response to the submission.
• Work to remediate discovered vulnerabilities in a timely manner.
• Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

Goldfinch will follow all rules listed above including what is in scope and reward amounts, unless extraordinary circumstances prevent this from happening. Ultimately all reward determinations, including eligibility and payment amount, are made at Goldfinch’s sole discretion. Goldfinch reserves the right, under extraordinary circumstances, to reject submissions and alter the terms and conditions of this program.