Bug Bounty Policy
How to engage with Mintbase and qualify for rewards when you discover issues with our platform.

If an attack vector is disclosed publicly or used to deny service to users for any amount of time the reporting party will be disqualified from receiving bounties.

How To Notify Us

Join our Telegram channel dedicated to security issues reporting and describe the nature of the bug or vulnerability. Here are a few examples:
Calling contract method set_status_of_address with argument xyz results in incorrect state.
Adding argument zyx to smart contract method call results in an unpredicted downstream XCC
Header injection calling on Mintbase owned HTTPs endpoint results in 200 vs 403

Next Steps

Once we have verified there is an issue, our team will work with you to directly to fix the issue. Only when the issue has been verified as fixed by the Mintbase team will we proceed with payment.

Bounty Amounts

The base amount for a verifiable issue is 500 USD. For a larger issue that could have lasting impacts on the future of Mintbase users, the amount can increase substantially. This determination is at the sole desecration of our security and leadership teams.

When & How We Will Pay

Only when an issue has been verified as fixed will we issue payment. At the time of this writing, payments will be made in NEAR token, however other fiat channels and tokens will be considered depending on the circumstances.

Examples of Bugs We Are Looking For

Problems with smart contracts (we are working actively with auditing companies) that could enable unauthorized parties to perform state mutations they shouldn't be authorized to perform.
Exploits on client programs that could cause degradations of performance, or incorrect arguments sent to blockchain transactions.
And of course, all the ones that we haven't thought of yet.

Summary

Wear a white hat, bring us a legit report and you will be rewarded appropriately. We are hiring, so if you're looking for a job with a fun team in a new space, a legit bug report is not a bad way to get our attention.
Copy link
On this page
If an attack vector is disclosed publicly or used to deny service to users for any amount of time the reporting party will be disqualified from receiving bounties.
How To Notify Us
Next Steps
Bounty Amounts
When & How We Will Pay
Examples of Bugs We Are Looking For
Summary