Skip to main content

Bug Bounty Program

Help secure usmewe and earn rewards for finding vulnerabilities.

Program Overview

Our bug bounty program launches with mainnet. Currently in preview mode for testnet findings.
SeverityReward RangeResponse Time
Critical10,00010,000 - 50,00024 hours
High5,0005,000 - 10,00048 hours
Medium1,0001,000 - 5,0001 week
Low100100 - 1,0002 weeks

Scope

In Scope

Smart Contracts

  • TrustVault.sol
  • P2PLoan.sol
  • SocialVault.sol
  • InsurancePool.sol
  • Governance.sol

Web Application

  • Authentication bypass
  • Authorization flaws
  • Injection vulnerabilities
  • Session management

API

  • Authentication/authorization
  • Rate limiting bypass
  • Data exposure
  • Business logic flaws

Mobile App

  • Local data security
  • Network security
  • Authentication issues
  • Key management

Out of Scope

  • Social engineering attacks
  • Physical security issues
  • Denial of service (DoS)
  • Issues in third-party dependencies (report upstream)
  • Issues already reported
  • Testnet-only issues without mainnet impact

Severity Guidelines

Critical

Direct loss of user funds or complete protocol compromise
Examples:
  • Unauthorized withdrawal of funds
  • Manipulation of Trust Score for unlimited borrowing
  • Complete bypass of timelock/multi-sig
  • Minting of tmUSDC without deposits

High

Examples:
  • Partial fund loss or significant manipulation
  • Bypass of core security mechanisms
  • Privilege escalation to admin roles
  • Breaking invariants in financial calculations

Medium

Examples:
  • Limited fund manipulation
  • Information disclosure of sensitive data
  • Bypass of non-critical security features
  • Logic errors with moderate impact

Low

Examples:
  • Minor information disclosure
  • Issues requiring unlikely conditions
  • UI/UX security improvements
  • Best practice violations

How to Report

Step 1: Document

Prepare a detailed report including: 
## Summary
Brief description of the vulnerability

## Severity Assessment
Your assessment of severity and impact

## Steps to Reproduce
1. Step one
2. Step two
3. ...

## Proof of Concept
Code, screenshots, or video demonstrating the issue

## Impact
What an attacker could achieve

## Suggested Fix
Your recommendation (optional but appreciated)

Step 2: Submit

Send your report to: [email protected]
  • Use PGP encryption if possible (key below)
  • Include “Bug Bounty” in subject line
  • One vulnerability per report

Step 3: Wait

  • You’ll receive acknowledgment within 24 hours
  • We’ll assess and respond per severity timeline
  • Keep vulnerability confidential during assessment

PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP key will be published here]
-----END PGP PUBLIC KEY BLOCK-----

Rules

  • Test on testnet when possible
  • Stop testing if you access user data
  • Report promptly after discovery
  • Provide detailed reproduction steps
  • Allow reasonable time for fixes
  • Access or modify other users’ data
  • Perform denial of service attacks
  • Social engineer team members
  • Disclose before we’ve fixed the issue
  • Demand payment before providing details

Rewards

Payment

  • Paid in USDC (or fiat equivalent)
  • Within 30 days of confirmed fix
  • Bonus for exceptional reports

Recognition

  • Hall of Fame listing (with permission)
  • Security researcher badge in app
  • Invitation to private security updates

Hall of Fame

Be the first to join our Security Hall of Fame!
ResearcherFindingsTotal Rewards
---
We will not pursue legal action against researchers who:
  • Act in good faith
  • Follow responsible disclosure
  • Avoid privacy violations
  • Do not disrupt services
  • Comply with applicable laws

FAQ

Yes, but use only your own accounts. Never access other users’ data.
Stop immediately, do not store/share the data, and report the vulnerability.
Based on severity, impact, and quality of report. We may adjust within ranges.
Yes, after 90 days or with our written permission, whichever is sooner.

Contact

Security Overview

Learn about our security practices