Symbiotic Bug Bounty

Introduction

Symbiotic is a shared security protocol designed to create a marketplace for economic security. It enables networks that need security to access it from those who have assets to stake, creating an efficient ecosystem where stake can be shared and utilized across multiple networks. Through its flexible architecture, stake providers can maximize their returns while networks can obtain the security guarantees they need.

Prohibited Actions

No Unauthorized Testing on Production Environments: Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.
No Public Disclosure Without Consent: Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.
No Exploitation or Data Exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
No Conflict of Interest: Individuals currently or formerly employed by Symbiotic, or who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Please report vulnerabilities directly to Cantina Platform. Include:

A clear description of the vulnerability and its impact.
Steps to reproduce the issue (proof of concept preferred).
Conditions under which the issue occurs.
Potential implications if exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

Be the first to report a previously unknown, non-public vulnerability within scope.
Provide sufficient information to reproduce and fix the issue.
Not have exploited the vulnerability in a malicious manner.
Not have disclosed the vulnerability to third parties prior to receiving permission.
Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Severity

Vulnerabilities are classified by Impact and Likelihood. The combination determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions

Critical: Leads to severe loss of user funds, permanent system disruption, or widespread compromise.
High: Causes notable financial loss or significantly harms user trust, but on a lesser scale than Critical.
Medium: Results in limited financial damage or moderate system impact.
Low/Informational: Minimal direct risk but may indicate areas for improvement.

Likelihood Definitions

High: Very easy to exploit or highly incentivized.
Medium: Exploitation is possible under certain conditions.
Low: Difficult to exploit or requires very specific conditions.

Reward Structure

Severity	Max. Reward
Critical	$500,000
High	$100,000
Medium	$10,000

Terms and Conditions

By submitting a report, you grant Symbiotic the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Symbiotic. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.