🛡️

Security

Security is at the core of everything we do. Learn about our security measures, responsible disclosure policy, and how to report vulnerabilities.

Report a Vulnerability

Found a security issue? Report it responsibly.

security@bug3.io

Bug Bounty Program

Earn rewards for finding bugs in our platform.

View Program

Security Audits

View our third-party security audit reports.

View Audits

Responsible Disclosure Policy

Our Commitment

Bug3 is committed to working with security researchers to improve the security of our platform. We appreciate the efforts of the security community and will work with you to understand and resolve any issues you discover.

Scope

Our responsible disclosure policy covers:

  • Bug3 web application (bug3.io and subdomains)
  • Bug3 smart contracts deployed on Polygon mainnet
  • Bug3 API endpoints and infrastructure
  • Bug3 mobile applications (when available)

Out of Scope:

  • Third-party services and integrations
  • Social engineering attacks
  • Physical attacks on our infrastructure
  • Denial of service attacks
  • Issues in third-party libraries without proof of exploitability

Guidelines

When researching vulnerabilities, please:

  • Only test against accounts you own or have explicit permission to test
  • Do not access, modify, or delete data belonging to other users
  • Do not perform attacks that degrade our service availability
  • Do not exploit vulnerabilities beyond the minimum needed to demonstrate the issue
  • Report vulnerabilities as soon as possible after discovery
  • Provide sufficient detail to reproduce the issue

Reporting Process

1

Submit Report

Email security@bug3.io with vulnerability details

2

Acknowledgment

We'll acknowledge receipt within 24 hours

3

Investigation

Our team will investigate and keep you updated

4

Resolution

We'll fix the issue and notify you when it's resolved

Bug Bounty Rewards

We offer rewards for valid security vulnerabilities based on their severity and impact. All rewards are paid in USDC on the Polygon network.

Critical

$5,000

Remote code execution, authentication bypass, privilege escalation

High

$2,500

SQL injection, XSS with significant impact, smart contract vulnerabilities

Medium

$1,000

CSRF, limited XSS, information disclosure, business logic flaws

Low

$250

Minor configuration issues, non-sensitive information disclosure

Note: Reward amounts are at our discretion based on impact, exploitability, and quality of the report. Duplicate reports are not eligible for rewards.

Platform Security Measures

Smart Contract Security

  • Multiple independent security audits
  • Formal verification of critical functions
  • Multi-signature wallet for admin functions
  • Timelock contracts for upgrades
  • Emergency pause mechanisms

Application Security

  • End-to-end encryption for sensitive data
  • Regular penetration testing
  • Secure API rate limiting
  • Input validation and sanitization
  • Content Security Policy (CSP)

Security Audits

We regularly engage independent security firms to audit our smart contracts and platform. All audit reports are publicly available for transparency.

Smart Contract Audit - ConsenSys Diligence

Completed

Comprehensive audit of Bug3 core smart contracts including bounty management, voting, and token contracts.

July 2025Download Report →

Platform Security Review - Trail of Bits

Completed

Security assessment of Bug3 web application, API endpoints, and infrastructure components.

June 2025Download Report →

Follow-up Security Audit - Certik

In Progress

Ongoing security review of platform updates and new features implemented since initial launch.

Expected: August 2025Report pending

Questions About Security?

Our security team is available to answer questions about our security measures, responsible disclosure process, or to discuss potential security collaborations.

Contact Security TeamGeneral Contact