as of 01/30/2023
Security is important to us, and we value the input of ethical hackers acting in good faith to help us maintain the highest standards for the security and safety of the MultiversX ecosystem. Even if the Hatom protocol has undergone professional audits and formal verification, it still depends on a new technology that may contain undiscovered vulnerabilities.
Our community is encouraged to audit our contracts and security and responsibly disclose any issue. The bug bounty program has been implemented to recognize the value of working with the community of independent security researchers and to set out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
Substantial rewards are offered for any discovery that can prevent the loss or the freezing of assets, harm to a user, or commensurate with the severity and exploitability of the vulnerability. According to the terms and conditions provided below, a reward of $500 and up to $150,000 will be paid for eligible discoveries.
The primary scope of the bug bounty program is for vulnerabilities affecting the on-chain Hatom Protocol, deployed to the MultiversX Mainnet, for mainnet contract addresses listed in this developer documentation.
This list may change as new contracts are deployed or existing contracts are removed from usage. Vulnerabilities in contracts built on top of the Protocol by third-party developers (such as smart contract wallets) are not in-scope, nor are vulnerabilities that require ownership of an admin key.
The secondary scope of the bug bounty program is for vulnerabilities affecting the Hatom Interface hosted at app.hatom.com that could conceivably result in exploiting user accounts.
Finally, test contracts (MultiversX Devnet) and staging servers are out of scope unless the discovered vulnerability also affects the Hatom Protocol or Interface or could otherwise be exploited in a way that risks user funds.
Submit all bug bounty disclosures to [email protected]. The disclosure must include clear and concise steps to reproduce the discovered vulnerability in written or video format. Hatom will follow up promptly with acknowledgment of the disclosure.
Terms and Conditions
To be eligible for bug bounty reward consideration, you must:
- Identify an original, previously unreported, non-public vulnerability within the scope of the Hatom bug bounty program as described above.
- Include sufficient detail in your disclosure to enable our engineers to reproduce, understand, and fix the vulnerability quickly.
- Be at least 18 years of age.
- Be reported in an individual capacity, or if employed by a company, reporting with the company’s written approval to submit a disclosure to Hatom.
- Not be subject to US sanctions or reside in a US-embargoed country.
- Not be a current or former Hatom employee, vendor, contractor, or employee of a Hatom vendor or contractor.
To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we require that you:
- Play by the rules, including following the terms and conditions of this program and any other relevant agreements. If there is any inconsistency between this program and any other applicable agreements, the terms of this program will prevail.
- Report any vulnerability you’ve discovered promptly.
- Avoid violating the privacy of others, disrupting our systems, destroying data, or harming the user experience.
- Keep the details of any discovered vulnerabilities confidential until they are fixed.
- Perform testing only on in-scope systems and respect systems and out-of-scope activities.
- Only interact with accounts you own or with explicit permission from the account holder.
- Not engage in blackmail, extortion, or any other unlawful conduct.
When working with us according to this program, you can expect us to:
- Pay generous rewards for eligible discoveries based on the severity and exploitability of the discovery at Hatom's sole discretion.
- Extend Safe Harbor for your vulnerability research that is related to this program, meaning we will not threaten or bring any legal action against anyone who makes a good faith effort to comply with our bug bounty program.
- Work with you to understand and validate your report, including timely initial response to the submission.
- Work to remediate discovered vulnerabilities promptly.
- Recognize your contribution to improving our security if you are the first to report a unique vulnerability and your report triggers a code or configuration change.