Bug Bounty

Help secure the Bouclier protocol. We offer rewards for responsibly disclosed vulnerabilities across all protocol components.

Program Status

BUG BOUNTY PROGRAMACCEPTING REPORTS

The bug bounty program is active for testnet contracts and SDK code. Report scope will expand to mainnet contracts upon deployment. All valid reports receive acknowledgment within 48 hours.

Reward Tiers

CriticalUp to $50,000

Fund loss, consensus bypass, or remote code execution on sentinel nodes.

HighUp to $25,000

Policy bypass, unauthorized agent actions, or state corruption vulnerabilities.

MediumUp to $10,000

Denial of service, information leaks, or griefing attacks with limited impact.

LowUp to $2,000

Minor issues, gas optimizations, or informational findings with minimal risk.

In Scope

bouclier-contracts

Smart contract vulnerabilities — registry, policies, verification

bouclier-sdk

SDK security issues — auth bypass, input validation, key handling

bouclier-node

Sentinel node exploits — consensus attacks, DoS, memory safety

Policy Modules

Logic flaws in reference policy implementations

Dashboard

XSS, CSRF, and wallet interaction vulnerabilities

Documentation

Security-relevant documentation errors (informational only)

Rules & Guidelines

Vulnerabilities must be reported privately via the disclosure form before any public disclosure.

Only test against testnet deployments (Base Sepolia). Do not test against mainnet contracts.

Social engineering, phishing, and physical attacks are out of scope.

Duplicate reports receive no reward — first valid report wins.

Severity is determined by the Bouclier security team based on impact and likelihood.

Rewards are paid in USDC on Base within 30 days of fix confirmation.

Disclosure Timeline

Report SubmittedDay 0

Submit via the bug bounty form with full reproduction steps

Acknowledgment< 48 hours

Security team confirms receipt and begins triage

Severity Assessment< 7 days

Impact classified and reward range communicated

Fix DeployedVaries

Patch developed, tested, and deployed via governance process

Reward Payment< 30 days

USDC payment sent after fix confirmation

Safe Harbor

We Will Not Pursue Legal Action

Security researchers acting in good faith under this program are protected. We will not initiate legal action against researchers who discover and report vulnerabilities following the rules outlined above. This includes accessing systems, sending transactions to testnet contracts, and analyzing code — as long as no user funds or data are put at risk.

Report a Vulnerability

Found something? Submit a report and help secure the protocol.

Submit Report Security Practices