Details

Cantina Bounty

Cantina is the one-stop shop for all your security needs, allowing you to source the best network of teams, freelancers, and services to keep your smart contracts secure.

Guidelines

Scope: Only vulnerabilities found on our websites
- https://cantina.xyz and its subdomains are eligible for rewards.
- https://spearbit.com and its subdomains are eligible for rewards.
- Any email infrastructure used by cantina.xyz or spearbit.com
Testing: Do not perform any testing that could disrupt our services or compromise user data.
Disclosure: Do not disclose any vulnerabilities publicly before we've had a chance to address them.
Submission: All submissions must be done on this bounty repository on cantina code. More details on submissions https://docs.cantina.xyz/cantina-docs/cantina-code/cantina-code-for-security-researchers/findings/findings-submission

Vulnerability Rewards

Here's a general overview:

Severity	Reward Range
Critical	$20,000 - $25,000
High	$10,000 - $20,000
Medium	$1,000 - $10,000
Low	Discretionary

Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.

Severity Levels

Critical
- Remote code execution
- Unauthorized access to sensitive user data
- Ability to perform actions as a privileged user
High
- SQL injection
- Cross-Site Scripting (XSS) with significant impact
- Authentication bypass
Medium
- Cross-Site Request Forgery (CSRF)
- Server-side request forgery
- Sensitive information disclosure
Low
- Cross-Site Scripting (XSS) with limited impact
- Open redirects
- Clickjacking vulnerabilities

Out of Scope

The following activities and vulnerability types are considered out of scope for this bug bounty program:

Physical attacks against our employees, offices, or data centers
Social engineering attacks against our employees or users
Vulnerabilities in applications or systems not owned by us
Vulnerabilities requiring physical access to a user's device
Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)

Testing Guidelines

To ensure safe and responsible testing:

Use only your own accounts or test accounts for testing.
Do not attempt to access, modify, or destroy data that does not belong to you.
Be mindful of testing that might impact system availability or integrity.
Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.

If you're unsure whether a specific test is allowed, please contact us before proceeding.

Thank you for helping us keep our platform secure!

Guidelines

Scope: Only vulnerabilities found on our websites

https://cantina.xyz and its subdomains are eligible for rewards.
https://spearbit.com and its subdomains are eligible for rewards.
Any email infrastructure used by cantina.xyz or spearbit.com

Testing: Do not perform any testing that could disrupt our services or compromise user data.

Disclosure: Do not disclose any vulnerabilities publicly before we've had a chance to address them.

Submission: All submissions must be done on this bounty repository on cantina code. More details on submissions https://docs.cantina.xyz/cantina-docs/cantina-code/cantina-code-for-security-researchers/findings/findings-submission

Severity

Reward Range

Critical

$20,000 - $25,000

High

$10,000 - $20,000

Medium

$1,000 - $10,000

Low

Discretionary

Severity Levels

Critical

Remote code execution
Unauthorized access to sensitive user data
Ability to perform actions as a privileged user

High

SQL injection
Cross-Site Scripting (XSS) with significant impact
Authentication bypass

Medium

Cross-Site Request Forgery (CSRF)
Server-side request forgery
Sensitive information disclosure

Low

Cross-Site Scripting (XSS) with limited impact
Open redirects
Clickjacking vulnerabilities

Out of Scope

The following activities and vulnerability types are considered out of scope for this bug bounty program:

Physical attacks against our employees, offices, or data centers

Social engineering attacks against our employees or users

Vulnerabilities in applications or systems not owned by us

Vulnerabilities requiring physical access to a user's device

Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)

Testing Guidelines

To ensure safe and responsible testing:

Use only your own accounts or test accounts for testing.

Do not attempt to access, modify, or destroy data that does not belong to you.

Be mindful of testing that might impact system availability or integrity.

Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.

If you're unsure whether a specific test is allowed, please contact us before proceeding.

Thank you for helping us keep our platform secure!