# Bug Bounty Program
## Bug Bounty Program Overview
The dKargo Bug Bounty Program is designed to enhance the security and stability of both our Testnet and Mainnet. This document outlines the program's purpose, evaluation criteria, reward structure, and submission procedures.
## Severity Levels and Rewards
{% hint style="info" %}
Bug severity is classified into four levels based on its potential impact on the mainnet.
{% endhint %}
| Severity | Description and Examples | Rewards |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| Critical |
Vulnerabilities that can disable core system functions or be exploited
Severe security threats such as network downtime, asset theft, or significant data tampering
| $2,000 |
| High |
Vulnerabilities that can impact service functionality
Issues like data manipulation, API security flaws, or potential exploitation of the Faucet system
Bugs that can directly affect service operations
| $700 |
| Medium |
Vulnerabilities that cause specific functions to behave unexpectedly or negatively impact user experience
Examples include node execution errors, technical inaccuracies in documentation, or deposit/withdrawal issues
| $200 |
| Low |
Issues that do not affect system security but involve minor bugs such as UI/UX issues, typos, visual errors, or process flow defects
Suggestions for overall quality improvement of the service
| $25 |
## Eligible Bug Criteria
{% hint style="success" %}
A bug report will be considered eligible if it meets the following conditions.
{% endhint %}
* The issue must be exploitable by a real user or attacker in the normal operating environment and default settings of the L3 mainnet.
* The bug must be reproducible and objectively verifiable, posing a threat to the system’s security or reliability to be deemed eligible.
* Logical flaws that can cause system malfunctions, if they can be clearly exploited (e.g., akin to a DDoS attack), may be considered eligible.
* Whether the issue occurs on a single node, client, or the entire network, its impact must be clear and accompanied by a realistic threat scenario in an operational environment.
* Technical flaws or configuration errors present in the latest release or documentation will be evaluated for eligibility based on their impact.
## Ineligible Bug Criteria
{% hint style="danger" %}
The following items are excluded from the Bug Bounty Program.
{% endhint %}
* Attacks requiring physical access or those that exhaust system resources through excessive traffic (e.g., DDoS attacks) fall outside the scope of typical software vulnerabilities and are excluded from the Bug Bounty Program.
* Reports lacking sufficient details—such as step-by-step instructions, reproducible examples, or proof of concept—will be excluded.
* Issues that only occur in outdated or unsupported browsers, vulnerabilities already publicly known, or problems already identified internally by the team will not qualify for rewards if reported as duplicates.
* Vulnerabilities requiring excessive user intervention (e.g., bugs that need complex manipulation to trigger), simple security configuration suggestions, best practice recommendations, or theoretical reports without proof of concept are considered ineligible.
* Incidents are not included in bug reports. An incident refers to a situation where the entire system or a major function temporarily stops working, affecting multiple users simultaneously. Such issues may arise from external factors beyond the control of developers or security experts (e.g., server downtime or network issues).
## How to Submit a Bug Bounty Report
1. While there is no specific template, your submission must include the following details
| Category | Content |
| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| Bug Title | A concise title describing the bug. |
| Bug Description |
A detailed explanation of the bug, including what the issue is and its potential impact.
Be as specific as possible.
|
| Step-by-Step Reproduction |
A detailed explanation of the bug, including what the issue is and its potential impact.
Be as specific as possible.
|
| Impact | The impact of the bug on the system. |
| **Severity** | The severity level based on the defined severity categories. |
| Supporting Materials | Evidence to substantiate the bug (e.g., screenshots, videos). |
2. Please compile the above information into a document and send it to .
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.dkargo.io/docs2-eng/security/bug-bounty-program.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.