Ichi.Farm Bug Bounties

Get paid to help protect.

We categorize bug reports into Low, Medium, High and Critical security risk vulnerabilities. Rewards are administered according to the following guidelines:

Standard Bounty Table

SEVERITY / CVSS SCORE / REWARD
Critical / 9.0–10.0 / $5,000 — $10,000
High / 7.0–8.9 / $2,500 — $5,000
Medium / 4.0–6.9 / $400 — $700
Low / 0.1–3.9 / $100-$300

Note: If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.

We have not set a maximum reward for the reporting of security vulnerabilities and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:

• The effect of the bug.
• The cause of the bug.
• Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.
• The process through which the bug was discovered. Besides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward.

For bug submission, please email bugs@ichi.farm.

Policy

Ichi.Farm recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.

Note: This program is for the disclosure of software security vulnerabilities only.

This Program is limited to the vulnerabilities affecting Ichi.farm in the following contracts:

• https://github.com/ichifarm/ichi
• https://github.com/ichifarm/ichi-farming

Eligibility of vulnerabilities

To be eligible, you must:

• Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on Ichi.Farm (but not on any third party platform interacting with Ichi.Farm) and that is within the scope of this Program.
• Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
• Not engage in any unlawful conduct when disclosing the bug to Ichi.Farm, including through threats, demands, or any other coercive tactics.
• Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
• Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of Ichi.Farm.
• Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
• Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
• Be at least 18 years of age.

Out of Scope for Ichi.Farm

The following are not within the scope of the Program:

• Bugs in any third party contract or platform that interacts with Ichi.Farm;
• Vulnerabilities already reported and/or discovered in contracts built by third parties on Ichi.Farm; and
• Any already-reported bugs.

Vulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:

• Front end bugs;
• DDOS attack;
• Spamming;
• Automated tools;
• Compromising or misusing third party systems or services.

Rules

• Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.
• Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
• Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.
• Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.
• By submitting a bug, you agree to be bound by the rules.

Disclaimer:

• Ichi.Farm reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.
• By submitting a bug, you agree to be bound by the above rules.

Safe Harbour:

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

For bug submission, please email bugs@ichi.org.