Golff Bug Bounty Program
Golff.Finance is committed to providing safe and reliable services to users, and the security of the system has always been a top priority for the team’s development. Although Golff has been strictly reviewed by multiple auditors, there is still the possibility of vulnerabilities considering the ever-changing nature of DeFi’s product ecology.
For the sake of Golff’s stable development and the safety of its users’ assets, Golff is now launching a bug bounty program. We hope to discover more professional security researchers, software developers and white-hat hackers to participate in this program through the campaign. If you find a security bug, we would be happy to work with you to resolve it quickly and offer you a reward of up to $20,000.
Scope of application of this plan
Vulnerabilities in the following Golff contracts only：
Golff Vault Related Contracts
Golff Lend Related Contracts
Golff Farm Related Contracts
Golff DAO Related Contracts
Golff Bridge Related Contracts
GOF Token Contracts:
- GOF(ERC20): 0x488E0369f9BC5C40C002eA7c1fe4fd01A198801c
- GOF(HECO): 0x2aafe3c9118db36a20dd4a942b6ff3e78981dce1
- GOF(BEP20-BSC): 0x2bcF9c1861FaE2d5a7D2b3242b71e2a8d461F61e
The following cases are not covered by this bug bounty program：
- Vulnerabilities in any third-party contract or platform that interacts with Golff.
- Vulnerabilities arising from the occurrence of any of the following activities: front-end errors, DDOS attacks, automated tools, compromise or misuse of third-party systems or services.
Bug severity classification and rewards
Submitted vulnerabilities need to satisfy minimum severity criteria to be eligible for rewards. Successfully submitted and reviewed vulnerabilities will be rewarded with Golff tokens based on their classification and severity level.
The severity of contractual vulnerabilities will be assessed by reference to the CVSS risk rating scale, as follows:
The terms and rules of the bug bounty program may change over time.
Reports need to contain enough technical knowledge for the team to quickly reproduce the fix for the bug.
Reported, publicly available vulnerabilities that do not meet the rules of participation are subject to the report of the first submitted bug.
Publicly disclosed vulnerabilities or illegal gains from vulnerabilities (other than rewards under this program) do not qualify for participation rules.
Rewards will be determined on a case-by-case basis for different vulnerabilities. The Bug Bounty Program and the Terms and Conditions are at the sole discretion of Golff.
Please send reports to email@example.com
No disclosure should be made to any other person, entity or email address prior to disclosure to the above email.
For valid bug reports, we will reply by email within 10 business days and will address how the reward will be issued in the email.
Other terms and conditions
All rewards will be issued in the form of GOF tokens and the final right to interpret them belongs to the Golff team.
Please read and follow the above policy carefully, otherwise your report will not be rewarded.