Bug Bounty Program
We pay researchers who responsibly disclose security issues. Send reports to [email protected] (PGP key in security.txt).
Scope
- Production APIs at
/v1/*,/v2/*,/api/* - Public web at the official Atestaria domain
- Browser extension
- $SEAL smart contract on supported chains
Out of scope
- Self-XSS without an attack chain
- Volumetric DoS
- Social engineering
- Vulnerabilities in third-party services we use
Severity & reward (USD-equivalent in $SEAL or fiat)
Critical
$5,000 to $50,000 · RCE, full DB read, contract drain, signature forgery
High
$1,500 to $5,000 · auth bypass, IDOR on PII, audit chain forgery
Medium
$300 to $1,500 · stored XSS, sensitive info leak
Low
$50 to $300 · low-impact issues, hardening recommendations
Rules
- No data exfiltration. Demonstrate impact with the minimum data needed.
- Use staging when possible.
- Disclose only after we confirm a fix.
Hall of Fame coming soon.