Overview
Security is always core to HashMix. We’d like to use as much help as we could get to optimize the security of our system. Therefore, we encourage our community to audit the security and report any potential issues. A responsible report can earn a reward of up to USD 100,000$.
Scope
The primary scope of this bounty program is for HashMix Lending and related products.
The scope may change as current products may be upgraded, and new products may be released.
Rules
- Public disclosure of a vulnerability would make it ineligible for a reward.
- Technical knowledge is required for the process.
- Duplicated issues are not eligible for the reward. The first submission would be the eligible one.
- Rewards will be decided on a case-by-case basis, and the bug bounty program, terms, and conditions are at the sole discretion of HashMix.
- Rewards will vary depending on the severity of the issue. Other variables considered for rewards include the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
- Submissions need to be related to the Scope. Submissions out of the Scope won’t be eligible for a reward.
- Avoid violating the privacy of others, disrupting our systems, destroying data, or harming the user experience.
- Not engage in blackmail, extortion, or any other unlawful conduct.
- Terms and conditions of the bug bounty process may vary over time.
Exclusions
- Denial of Service attacks and Active Exploits against the HashMix platform.
- Social engineering and phishing of HashMix project contributors, ecosystem collaborators, or community members.
- Physical or electronic attempts to access offices where project contributors work or data centers.
- Compromising user accounts or stealing funds.
Rewards
The reward of reporting a bug would be $100 to $100,000 based on the rules provided.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with it.
Submit
Please submit all bug bounty disclosures to dev@hashmix.org. The disclosure must include clear and concise steps to reproduce the discovered vulnerability in either written or video format. We’ll follow up as soon as possible.
