Welcome to the youves Bug Bounty program. youves shall be as secure as it can be, so we’re calling on you to help find any bugs or vulnerabilities. Submit a bug and earn a reward of up to USD 100,000.
The following Rules & Rewards apply:
Rules
- Public disclosure of a vulnerability makes it ineligible for a reward.
- Duplicated issues are not eligible for rewards. The first submission is considered the eligible one.
- If you want to add more information to an identified vulnerability, create an additional submission and give reference to the initial one.
- Whether you will receive rewards will be decided within the discretion of youves, taking into account the terms of this Bug Bounty program and the youves governance process
- Rewards will vary depending on the severity and the probability of occurrence of the issue. Other qualitative matters considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
- Determinations of eligibility, score and all terms related to a reward are at the sole and final discretion of youves and its governance process.
- Submissions need to be related to the Bug Bounty scope. Submissions outside the Bug Bounty scope are not eligible for a reward.
- Any interference with the protocol, client or platform services, on purpose or not, during the process will make the submission process invalid.
- Terms and conditions of the Bug Bounty process may change over time, subject to the youves governance process.
- The severity of the identified vulnerabilities will be based on the OWASP risk rating model (www.owasp.org), and are categorised for their impact and likelihood.
Rewards
Rewards are paid in tez or fiat and amounts are defined based on the above described process:
Critical: up to $100,000
High: up to $25,000
Medium: up to $5,000
Low: up to $1,000
| Almost certain | $ 1,000 | $ 2,000 | $ 5,000 | $ 25,000 | $ 100,000 |
| Likely | $ 500 | $ 1,000 | $ 2,000 | $ 5,000 | $ 25,000 |
| Possible | $ 100 | $ 500 | $ 1,000 | $ 2,000 | $ 5,000 |
| Unlikely | $ 100 | $ 100 | $ 500 | $ 1,000 | $ 5,000 |
| Almost possible | $ 100 | $ 100 | $ 100 | $ 500 | $ 1,000 |
| Very low | Low | Moderate | High | Severe |
Bug Bounty Scope
The bug bounty will be applicable for the following repositories, sources and sites.
References
Additional references that need to be considered before submitting an identified vulnerability.
Vulnerabilities Classification
Critical
An issue that might cause immediate loss of > 10% of the funds, or permanent impairment of the protocol state.
High
An issue that might cause immediate loss of <10% of the funds, or severely damage the protocol state.
Medium
An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.
Low
An issue that might cause user dissatisfaction or minimal failure.
Exclusions
Please refrain from the following activities whilst researching:
- Denial of service
- Spamming
- Social engineering (including phishing) of youves ecosystem members
- Any physical attempts against youves’ ecosystem members or data centers
FAQ
There is no end date for this Bug Bounty program, as code quality is a continuous focus of the youves ecosystem. Terms of the program are at the sole and final discretion of youves and its governance process.
There is no end date for this Bug Bounty program, as code quality is a continuous focus of the youves ecosystem. Terms of the program are at the sole and final discretion of youves and its governance process.
In order to claim your reward you will have to submit the required documentation and provide youves with your Tezos address or bank account details.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will support you by announcing that your actions were conducted in compliance with this policy.
Bug Submission
Please report your identified vulnerability with the form below. Try to be as specific and clear as possible. youves developers will be in touch with you as soon as possible once you have submitted the report.