Bug Bounty Program
Bug Bounty Program Overview
The dKargo Bug Bounty Program is designed to enhance the security and stability of both our Testnet and Mainnet. This document outlines the program's purpose, evaluation criteria, reward structure, and submission procedures.
Severity Levels and Rewards
Critical
Vulnerabilities that can disable core system functions or be exploited
Severe security threats such as network downtime, asset theft, or significant data tampering
$2,000
High
Vulnerabilities that can impact service functionality
Issues like data manipulation, API security flaws, or potential exploitation of the Faucet system
Bugs that can directly affect service operations
$700
Medium
Vulnerabilities that cause specific functions to behave unexpectedly or negatively impact user experience
Examples include node execution errors, technical inaccuracies in documentation, or deposit/withdrawal issues
$200
Low
Issues that do not affect system security but involve minor bugs such as UI/UX issues, typos, visual errors, or process flow defects
Suggestions for overall quality improvement of the service
$25
Eligible Bug Criteria
A bug report will be considered eligible if it meets the following conditions.
The issue must be exploitable by a real user or attacker in the normal operating environment and default settings of the L3 mainnet.
The bug must be reproducible and objectively verifiable, posing a threat to the system’s security or reliability to be deemed eligible.
Logical flaws that can cause system malfunctions, if they can be clearly exploited (e.g., akin to a DDoS attack), may be considered eligible.
Whether the issue occurs on a single node, client, or the entire network, its impact must be clear and accompanied by a realistic threat scenario in an operational environment.
Technical flaws or configuration errors present in the latest release or documentation will be evaluated for eligibility based on their impact.
Ineligible Bug Criteria
The following items are excluded from the Bug Bounty Program.
Attacks requiring physical access or those that exhaust system resources through excessive traffic (e.g., DDoS attacks) fall outside the scope of typical software vulnerabilities and are excluded from the Bug Bounty Program.
Reports lacking sufficient details—such as step-by-step instructions, reproducible examples, or proof of concept—will be excluded.
Issues that only occur in outdated or unsupported browsers, vulnerabilities already publicly known, or problems already identified internally by the team will not qualify for rewards if reported as duplicates.
Vulnerabilities requiring excessive user intervention (e.g., bugs that need complex manipulation to trigger), simple security configuration suggestions, best practice recommendations, or theoretical reports without proof of concept are considered ineligible.
Incidents are not included in bug reports. An incident refers to a situation where the entire system or a major function temporarily stops working, affecting multiple users simultaneously. Such issues may arise from external factors beyond the control of developers or security experts (e.g., server downtime or network issues).
How to Submit a Bug Bounty Report
While there is no specific template, your submission must include the following details
Bug Title
A concise title describing the bug.
Bug Description
A detailed explanation of the bug, including what the issue is and its potential impact.
Be as specific as possible.
Step-by-Step Reproduction
A detailed explanation of the bug, including what the issue is and its potential impact.
Be as specific as possible.
Impact
The impact of the bug on the system.
Severity
The severity level based on the defined severity categories.
Supporting Materials
Evidence to substantiate the bug (e.g., screenshots, videos).
Please compile the above information into a document and send it to [email protected].
Last updated