Bug Bounty Terms

Last modified: 8 November 2024

Contracts

The Program includes vulnerabilities and bugs in any deployed Javsphere and LeverageX contracts. These include those within the following GitHub repositories:

https://github.com/Javsphere/contracts

However, if you find a bug in a Javsphere smart contract outside of these repositories, where user funds are at risk, the team will consider the issue to be in scope for Javsphere’s bounty.

Websites

Out of Scope

  • Clickjacking (Javsphere do allow 3rd parties to iframe it)

  • DDOS

  • Bugs in third party code

  • Dev branches that are not deployed in public packages or contracts.

  • Deprecated and not supported contracts

  • Third party contracts that are not under the direct control of Javsphere and LeverageX

  • Issues already listed in the audits for the contracts above

  • Bugs in third party contracts or applications that use Javsphere and LeverageX contracts

  • Brute force attacks

  • Rounding errors

  • Extreme market turmoil vulnerability

  • Gas optimization recommendations

  • Task Hijacking (Strandhogg)

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.

  • Javsphere recommends testing on local forks, for example using foundry.

  • Public disclosure of bugs without the consent of the protocol team!!!.

  • Conflict of Interest: any employee or contractor who currently works, or previously worked, for or with Zero to Three Inc., Javsphere, LeverageX cannot participate in the Bug Bounty without prior approval.

Disclosure

The vulnerability must not be disclosed publicly or to any other person, entity, or email address before Zero to Three Inc., Javsphere or LeverageX has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, the disclosure must be made within 24 hours following the discovery of the vulnerability.

Reports must be submitted/emailed directly to Javsphere’s security team at info@javsphere.com only.

A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:

  • The conditions on which reproducing the bug is contingent.

  • The steps needed to reproduce the bug or, preferably, a proof of concept.

  • The potential implications of the vulnerability being abused.

Anyone who reports a unique, previously unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by Javsphere’s engineers will be recognized publicly for their contribution if they so choose.

Eligibility

To be eligible for a reward under this Program, you must:

  • Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program.

  • Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements.

  • Provide sufficient information to enable Javsphere’s engineers to reproduce and fix the vulnerability.

  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).

  • Not publicize a vulnerability in any way, other than through private reporting to Javsphere.

  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope.

  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.

  • Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.

  • Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.

  • Not be subject to US sanctions or reside in a US-embargoed country.

  • Not be one of Javsphere’s current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question.

  • Comply with all the eligibility requirements of the Program.

Rewards

The Program includes the following 4-level severity scale:

  • Critical Issues that could impact numerous users and have serious reputational, legal or financial implications. An example would be being able to lock contracts permanently or take funds from all users.

  • High Issues that impact individual users where exploitation would pose reputational, legal or financial implications

  • Medium Issues moderate financial risk to the user. The risk is relatively small and does not pose a threat to user funds.

  • Low/Informational The issue does not pose an immediate risk but is relevant to security best practices.

Rewards will be given based on the above severity and the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of Zero to Three Inc.

Payout Calculations

Select the payout amounts by which part of Javsphere’s product the bug is in.

Javsphere & LeverageX - Contracts Code

Reach out to the protocols team for any bug in the contract code.

Risk Score

Payout

Critical

$20,000

High

$2,500

Medium

$ 500

Low

Discretionary

Javsphere & LeverageX - Web Interface

This is for only the site that handles wallet interactions (app.javsphere.com & app.leveragex.trade)

Risk Score

Payout

Critical

$ 10,000

High

$ 1,500

Medium

$ 500

Low

Discretionary

Javsphere & LeverageX - Other Websites

This is for websites that belong to Javsphere, but do not do wallet interactions such as the landing page.

Risk Score

Payout

Critical

$ 10,000

High

$ 1500

Medium

$ 500

Low

Discretionary

Other Terms

By submitting your report, you grant Zero to Three Inc any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at Javsphere’s sole discretion.The terms and conditions of this Program may be altered at any time.

Start date:

08.11.2024 Jul 2024 11:00pm (UTC)

Last updated