Bug Bounty

as of 02/01/2025

At Hatom, security is of utmost importance, and we value the input of ethical hackers acting in good faith to help us maintain the highest standards for the security and safety of the MultiversX ecosystem. Despite thorough professional audits and formal verification, the Hatom protocol is built on new technology that may contain undiscovered vulnerabilities.

We encourage our community to audit our contracts and security and to responsibly disclose any issues they find. Our Bug Bounty Program has been created to recognize the contributions of independent security researchers. It sets out our definition of good faith in the context of vulnerability reporting and outlines what researchers can expect from us in return.


Rewards

Substantial rewards are available for discoveries that can prevent the loss or freezing of assets, harm to users, or vulnerabilities commensurate with their severity and exploitability. According to the terms and conditions outlined below, rewards range from $500 to $500,000 for eligible discoveries.


Scope

The primary scope of the Bug Bounty Program covers vulnerabilities affecting the on-chain Hatom Protocol, deployed to the MultiversX Mainnet, specifically the Mainnet contract addresses listed in our developer documentation. This list may evolve as new contracts are deployed or existing ones are retired. Vulnerabilities in third-party contracts built on top of the protocol (such as smart contract wallets) or those requiring admin key ownership are out of scope.

The secondary scope includes vulnerabilities affecting the Hatom Interface hosted at app.hatom.com, particularly those that could result in the exploitation of user accounts.

Vulnerabilities in test contracts (MultiversX Devnet) and staging servers are out of scope unless they also affect the Hatom Protocol or Interface, or pose a risk to user funds.


Disclosure

Submit all bug bounty disclosures to [email protected]. Disclosures must include clear and concise steps to reproduce the discovered vulnerability, either in written or video format. Hatom will promptly acknowledge receipt of the disclosure.


Terms and Conditions

To be eligible for bug bounty rewards, you must:

  • Identify an original, previously unreported, non-public vulnerability within the scope of the Hatom Bug Bounty Program.

  • Provide sufficient detail in your disclosure to allow our engineers to reproduce, understand, and fix the vulnerability quickly.

  • Be at least 18 years old.

  • Report in an individual capacity or, if employed by a company, have written approval from your company to submit the disclosure to Hatom.

  • Not be subject to U.S. sanctions or reside in a U.S.-embargoed country.

  • Not be a current or former Hatom employee, vendor, contractor, or employee of a Hatom vendor or contractor.

To distinguish good-faith hacking from malicious activity, you must:

  • Follow the program’s terms and any other applicable agreements. If there's a conflict between this program and other agreements, this program's terms will prevail.

  • Report vulnerabilities promptly.

  • Avoid violating the privacy of others, disrupting systems, destroying data, or harming the user experience.

  • Use only [email protected] to discuss vulnerabilities.

  • Keep discovered vulnerabilities confidential until they are fixed.

  • Perform testing only on in-scope systems and respect out-of-scope boundaries.

  • Interact only with accounts you own or have explicit permission to access.

  • Avoid engaging in blackmail, extortion, or unlawful conduct.


Our Commitment

When you work with us in good faith, you can expect:

  • Generous rewards based on the severity and exploitability of your discovery, at Hatom’s discretion.

  • Safe Harbor protection for your vulnerability research related to this program, meaning we won’t pursue legal action against you if you comply with our rules.

  • Prompt validation of your report and timely acknowledgment of your submission.

  • Swift remediation of discovered vulnerabilities.

  • Recognition for your contribution if you're the first to report a unique vulnerability that leads to a code or configuration change.

Note that: All reward determinations, including eligibility and payment amount, are made at Hatom's sole discretion. Hatom reserves the right to reject submissions and alter the terms and conditions of this program.

We will also partner with Immunefi to simplify the process of reporting bugs further.

Last updated