Polygon POS: Program Info

Rewards and Recognition

Severity Clasification

Polygon classifies vulnerabilities using the Common Vulnerability Scoring System (CVSS). In case of discrepancy, final determination is done by Polygon.

Payouts and Payout Requirements

• Payouts are handled by the Polygon Labs team directly and are denominated in USD. Payouts are done in USDC or MATIC at the Polygon Labs teams' discretion. Polygon Labs commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures.
• This bug bounty program is only open to individuals who reside outside of the countries that are restricted by OFAC and by UNSC resolutions. If the individual is a US person, tax information may be required in order to properly issue a 1099.

KYC Requirements

• Polygon Labs does have a Know Your Customer (KYC) requirement for bug bounty payouts.
• KYC information is only required on confirmation of the validity of a bug report which Polygon Labs determines in its sole discretion.

Out of Scope - General

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist), except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
• Broken link hijacking is out of scope
• Loss of funds held by third parties
• Attacks related to vulnerable, old or deprecated libraries, that are not exploitable

Out of Scope - Smart Contracts and Blockchain/DLT

• Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
• Previously known vulnerabilities in Tendermint and or/any other fork of these.
• Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Centralization risks

Prohibited Activities

The following activities are prohibited by this bug bounty program. Violation of these rules may result in zero payout.

• Any testing with mainnet or public testnet deployed code; all testing should be done on private testnets
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty
• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
  
• Avoid compromising any personal data, interruption, or degradation of any service
  
• Don’t access or modify other user data, localize all tests to your accounts
  
• Perform testing only within the scope
  
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  
• Don’t spam forms or account creation flows using automated scanners
  
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  
• Don’t break any law and stay in the defined scope
  
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
  

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without written consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• All reports should include a runnable Proof of Concept (PoC) in order to prove impact
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• Current employees, vendors (auditors), partners and contractors are not eligible to participate in the bug bounty program;
• Payouts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production.
• Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bug bounty program unless explicitly mentioned as in-scope.
• For GitHub repositories please ensure you are reviewing the latest published releases
• ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)