# Bug Bounty Program ## Overview The program covers Pact's Smart Contracts and Frontend / Backend vulnerabilities. ## Rewards | Severity | Payout | | -------- | ----------------- | | Critical | up to 100 000 USD | | High | 25 000 USD | | Medium | 5 000 USD | ## Scope All smart contract in our Github [repo](https://github.com/pactfi/algorand-testbed) are in scope. You can find them deployed on MainNet by checking our pools at . PyTeal source code will be released in Q2/Q3 2022. Our web app () and API () are also in scope. ## Severity Classification Bug bounty program use the [Immunefi Vulnerability Severity Classification System](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2/) with following exceptions.\ \ All critical payments, both for smart contracts and the website, are capped at 10% of economic damage. **Web vulnerabilities** in scope are those which lead directly and unequivocally to loss of user funds, such as by spoofing transactions on the Pact interface. ## Out of Scope & Rules **All programs** * Attacks that the reporter has already exploited himself, leading to damage * Attacks that rely on social engineering * Attacks requiring access to leaked keys/credentials * Attacks already reported or published **Smart Contracts/Blockchain** * Incorrect data supplied by third party oracles/exchange rate being outdated * Not to exclude oracle manipulation/flash loan attacks * Basic economic governance attacks (e.g. 51% attack) * Loss of positive slippage through Sandwich Attacks * Lack of liquidity * Best practice critiques * Sybil attacks **Websites and Apps** * Any and all web vulnerabilities that do not directly lead to loss or permanent locking of user funds are out of scope **The following activities are prohibited by bug bounty program:** * Any testing with mainnet or public testnet contracts; all testing should be done on private testnets * Any testing with pricing oracles or third party smart contracts * Attempting phishing or other social engineering attacks against our employees and/or customers * Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks) * Any denial of service attacks * Automated testing of services that generates significant amounts of traffic * Public disclosure of an unpatched vulnerability in an embargoed bounty ## Reporting Email with detailed description of the attack. All bug reports must come with a proof of concept.