Ring Protocol Bug Bounty

Overview

Scope

  • BondingCurve
  • Core
  • Genesis
  • Oracle
  • PCV

The following are not within the scope of the Program:

  • The example contracts and the contracts in the test folder
  • Contract code that is not within or has been removed from the mentioned above folders
  • Bugs in any third party contract or platform that interacts with Ring Protocol
  • Any designed business logics
  • Vulnerabilities already reported and/or discovered in contracts built by third parties on Ring Protocol
  • Any already-reported bugs.

Vulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:

Front end bugs;

  • DDOS attack;
  • Spamming;
  • Automated tools; and
  • Compromising or misusing third-party systems or services.

Program Rewards

  • Critical (9.0–10.0): Up to $20,000
  • High (7.0–8.9): Up to $5,000
  • Medium (4.0–6.9): Up to $1,000
  • Low (0.1–3.9): Up to $500

In addition to assessing severity, rewards will be considered based on the impact of the discovered vulnerability as well as the level of difficulty in discovering such vulnerability.

Disclosure

  • The conditions on which reproducing the bug are contingent.
  • The steps needed to reproduce the bug or, preferably, a proof of concept.
  • The potential implications of the vulnerability being abused.

A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount.

Anyone who reports a unique, previously unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if agreed.

Eligibility

  • Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on Ring Protocol (but not on any third party platform interacting with Ring Protocol) and that is within the scope of this Program.
  • Be the first to disclose the unique vulnerability to contact@ring.exchange, in compliance with the disclosure requirements above.
  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
  • Not engage in any unlawful conduct when disclosing the bug to contact@ring.exchange, including through threats, demands, or any other coercive tactics.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
  • Make a good faith effort to avoid privacy violations, destruction of data, interruption, or degradation of Ring Protocol.
  • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
  • Be at least 18 years of age.
  • Not be subject to US sanctions or reside in a US-embargoed country.
  • Not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors.
  • Comply with all the eligibility requirements of the Program.

Other Terms

The terms and conditions of this Program may be altered at any time.

Read more:

One Ring to rule them all — Yield Compounding Stablecoin Protocol on Uniswap V3