Agglayer
Bounty Range
$2,000 - $250,000
external program
Agglayer is a cross-chain settlement layer that connects the liquidity and users of any blockchain for fast, low cost interoperability and growth.
The Agglayer's Vault Bridge is a customizable yield-generating mechanism for providing L2s with a native revenue stream. It's designed to help EVM chains move toward a more durable, less extractive economic model for funding ecosystem growth.
For more information about Agglayer: https://www.agglayer.dev/
| Severity | Maximum Reward |
|---|---|
| Critical | $250,000 |
| High | $10,000 |
| Medium | $2,000 |
No Unauthorized Testing on Production Environments: Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.
No Public Disclosure Without Consent: Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.
No Exploitation or Data Exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
No Conflict of Interest: Individuals currently or formerly employed by Polygon, or those who contributed to the development of the affected code, are ineligible to participate.
Please report vulnerabilities directly through the Spearbit/Cantina platform. Please include:
Reports should be made as soon as possible—ideally within 24 hours of discovery.
To be eligible for a reward, you must:
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Please refer to the default severity classification.
Notes:
By submitting a report, you grant Polygon the rights necessary to investigate, mitigate, and disclose the vulnerability.
Reward decisions and eligibility are at the sole discretion of Polygon.
The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.
Payouts are handled by the Polygon Labs team directly and are denominated in USD. Payouts are done in USDC or POL at the Polygon Labs teams' discretion.
Polygon Labs commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures.
POL Payouts will be determined using TWAP 5 day price calculated from payment date.
Polygon Labs requires an invoice to be received for each payout. An invoice template can be provided by Polygon Labs.
This bug bounty program is only open to individuals who reside outside of the countries that are restricted by OFAC and by UNSC resolutions.
If the individual is a US person, tax information may be required in order to properly issue a 1099.