🛡️

Security

Security is at the core of everything we do. Learn about our security measures, responsible disclosure policy, and how to report vulnerabilities.

Report a Vulnerability

Found a security issue? Report it responsibly.

security@bug3.io

Bug Bounty Program

Earn rewards for finding bugs in our platform.

View Program

Security Audits

View our third-party security audit reports.

View Audits

Responsible Disclosure Policy

Our Commitment

Bug3 is committed to working with security researchers to improve the security of our platform. We appreciate the efforts of the security community and will work with you to understand and resolve any issues you discover.

Scope

Our responsible disclosure policy covers:

Bug3 web application (bug3.io and subdomains)
Bug3 smart contracts deployed on Polygon mainnet
Bug3 API endpoints and infrastructure
Bug3 mobile applications (when available)

Out of Scope:

Third-party services and integrations
Social engineering attacks
Physical attacks on our infrastructure
Denial of service attacks
Issues in third-party libraries without proof of exploitability

Guidelines

When researching vulnerabilities, please:

Only test against accounts you own or have explicit permission to test
Do not access, modify, or delete data belonging to other users
Do not perform attacks that degrade our service availability
Do not exploit vulnerabilities beyond the minimum needed to demonstrate the issue
Report vulnerabilities as soon as possible after discovery
Provide sufficient detail to reproduce the issue

Reporting Process

Submit Report

Email security@bug3.io with vulnerability details

Acknowledgment

We'll acknowledge receipt within 24 hours

Investigation

Our team will investigate and keep you updated

Resolution

We'll fix the issue and notify you when it's resolved

Bug Bounty Rewards

We offer rewards for valid security vulnerabilities based on their severity and impact. All rewards are paid in USDC on the Polygon network.

Critical

$5,000

Remote code execution, authentication bypass, privilege escalation

High

$2,500

SQL injection, XSS with significant impact, smart contract vulnerabilities

Medium

$1,000

CSRF, limited XSS, information disclosure, business logic flaws

Low

$250

Minor configuration issues, non-sensitive information disclosure

Note: Reward amounts are at our discretion based on impact, exploitability, and quality of the report. Duplicate reports are not eligible for rewards.

Platform Security Measures

Smart Contract Security

✓Multiple independent security audits
✓Formal verification of critical functions
✓Multi-signature wallet for admin functions
✓Timelock contracts for upgrades
✓Emergency pause mechanisms

Application Security

✓End-to-end encryption for sensitive data
✓Regular penetration testing
✓Secure API rate limiting
✓Input validation and sanitization
✓Content Security Policy (CSP)

Security Audits

We regularly engage independent security firms to audit our smart contracts and platform. All audit reports are publicly available for transparency.

Smart Contract Audit - ConsenSys Diligence

Completed

Comprehensive audit of Bug3 core smart contracts including bounty management, voting, and token contracts.

July 2025Download Report →

Platform Security Review - Trail of Bits

Completed

Security assessment of Bug3 web application, API endpoints, and infrastructure components.

June 2025Download Report →

Follow-up Security Audit - Certik

In Progress

Ongoing security review of platform updates and new features implemented since initial launch.

Expected: August 2025Report pending

Questions About Security?

Our security team is available to answer questions about our security measures, responsible disclosure process, or to discuss potential security collaborations.

Contact Security Team General Contact

Bug3

Loading Bug3 Platform...

Responsible Disclosure Policy

Our Commitment

Scope

Our responsible disclosure policy covers:

Bug3 web application (bug3.io and subdomains)
Bug3 smart contracts deployed on Polygon mainnet
Bug3 API endpoints and infrastructure
Bug3 mobile applications (when available)

Out of Scope:

Third-party services and integrations
Social engineering attacks
Physical attacks on our infrastructure
Denial of service attacks
Issues in third-party libraries without proof of exploitability

Guidelines

When researching vulnerabilities, please:

Only test against accounts you own or have explicit permission to test
Do not access, modify, or delete data belonging to other users
Do not perform attacks that degrade our service availability
Do not exploit vulnerabilities beyond the minimum needed to demonstrate the issue
Report vulnerabilities as soon as possible after discovery
Provide sufficient detail to reproduce the issue

Reporting Process

Submit Report

Email security@bug3.io with vulnerability details

Acknowledgment

We'll acknowledge receipt within 24 hours

Investigation

Our team will investigate and keep you updated

Resolution

We'll fix the issue and notify you when it's resolved

Bug Bounty Rewards

We offer rewards for valid security vulnerabilities based on their severity and impact. All rewards are paid in USDC on the Polygon network.

Critical

$5,000

Remote code execution, authentication bypass, privilege escalation

High

$2,500

SQL injection, XSS with significant impact, smart contract vulnerabilities

Medium

$1,000

CSRF, limited XSS, information disclosure, business logic flaws

Low

$250

Minor configuration issues, non-sensitive information disclosure

Note: Reward amounts are at our discretion based on impact, exploitability, and quality of the report. Duplicate reports are not eligible for rewards.

Platform Security Measures

Smart Contract Security

✓Multiple independent security audits
✓Formal verification of critical functions
✓Multi-signature wallet for admin functions
✓Timelock contracts for upgrades
✓Emergency pause mechanisms

Application Security

✓End-to-end encryption for sensitive data
✓Regular penetration testing
✓Secure API rate limiting
✓Input validation and sanitization
✓Content Security Policy (CSP)

Security Audits

We regularly engage independent security firms to audit our smart contracts and platform. All audit reports are publicly available for transparency.

Smart Contract Audit - ConsenSys Diligence

Completed

Comprehensive audit of Bug3 core smart contracts including bounty management, voting, and token contracts.

July 2025Download Report →

Platform Security Review - Trail of Bits

Completed

Security assessment of Bug3 web application, API endpoints, and infrastructure components.

June 2025Download Report →

Follow-up Security Audit - Certik

In Progress

Ongoing security review of platform updates and new features implemented since initial launch.

Expected: August 2025Report pending