All contracts in our
/contracts in the repo https://github.com/argentlabs/argent-contracts/
master are eligible for the bounty.
The Argent website or the Argent infrastructure in general is NOT part of this bug bounty program.
What vulnerabilities to look for
We of course want to know every vulnerability, but in particular:
- Risk of funds being stolen
- Risk of funds being frozen or lost
- Risk of security operations (lock, recovery, guardians) being maliciously triggered or prevented
Anything already covered by our audits is NOT in scope.
Overview of how Argent works
We follow many of the bug bounty rules that the Ethereum Foundation does:
- Decisions on the eligibility and size of a reward are the sole discretion of Argent.
- Any disclosure of a vulnerability to the public or other third parties (such as the media) before Argent makes it public will disqualify the bounty. Issues must be privately submitted to email@example.com.
- Issues must be new to the team. They can’t have already been identified by another user or by an audit.
- No employees, contractors or others with current or prior commercial relationships with Argent are eligible for rewards. This includes auditors used by Argent.
- Provide the steps required to demonstrate an issue. If we cannot reproduce an issue we will not be able to reward it.
The size of the bounty will vary depending on the severity of the issue discovered. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood.
Decisions on the eligibility and size of a reward are guided by the rules above, but are, in the end, determined at the sole discretion of Argent.
- Critical: up to $50,000
- High: up to $25,000
- Medium: up to $10,000
- Low: up to $2,000
In addition to severity, other variables are also considered when Argent evaluates the eligibility and size of a bounty, including (but not limited to):
- Quality of description.
Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility.
Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
- Quality of fix, if included.
Higher rewards are paid for submissions with clear description of how to fix the issue.
- Give us time to investigate anything you report before sharing it publicly or with others
- (And hopefully this goes without saying) don’t exploit an issue if you find one
- Try wherever possible to avoid privacy violations, destruction of data, and interruption or degradation of our service
Please email firstname.lastname@example.org