A vulnerability rewards program (VRP), commonly referred to as a bug bounty, provides incentives to individuals, including security researchers and ethical hackers (Wardens), for discovering and reporting software bugs. This initiative extends to both closed and
open-source code, allowing participation from anyone on the platform.
When a program lists a website in scope, are other directories in scope? And subdomains?
By default, all directories (e.g., site.com/something) will be covered, while subdomains (e.g., something.site.com) are not included, unless expressly stated otherwise by the program.
How is KYC handled and what do I need to provide?
The KYC process occurs directly between the Warden and the project. BlockWarden remains uninvolved in the KYC procedure, given that the project handles the bounty reward payment directly
I think I’ve found a vulnerability, but I’m not sure. Can I share it with someone?
Avoid sharing it on a public channel. You may share it privately with another trusted Warden, but bear in mind that you will be accountable if the vulnerability is leaked and exploited. If you collaborate with another Warden, it is your responsibility to determine how
to divide any bounty. BlockWarden and the project will not intervene in any disputes.
Are rewards required to be delivered as outlined in the project Bug Bounty program?
Evaluation and rewarding of all bug reports will be in accordance with the scope of the Bug Bounty Program (BBP) as it stands at the time of the report's submission.
Can I contact the project directly about a bug that I find?
No, engaging in such behaviour is prohibited and may lead to a warning or a ban. Directly reaching out to a project is a rule violation since projects host their bug bounties on BlockWarden specifically to ensure that all communication occurs through our secure
platform. Furthermore, contacting a project before submitting through BlockWarden is also deemed a violation, resulting in no payout.
What valid reasons can projects use to close my report without payment?
- the bug is a duplicate
- the bug is a known issue to the project, and the project can supply appropriate proof
- the bug is a non-security issue (e.g. low-level UI bug), so even if fixed does not require payout
- the project decides not to fix the bug
The project is not paying a reward although I believe the vulnerability is real. Do they have to pay me a reward?
A project is obligated to pay a bounty reward only if the reported vulnerability falls within the scope of their bug bounty program and they address the issue in their code based on the provided bug report. Should the project choose not to fix a vulnerability despite
your report, they are not obliged to provide a reward.
BlockWarden serves as an intermediary for both hackers and projects within web3. Both 'Wardens' and 'Organisations' undergo vetting to guarantee the fairness, transparency, and rewarding nature of all Bug Bounty Programs (BBP) for those participating. BlockWarden
applies commission fees ranging from 10% to 20% exclusively on completed bounties* to cover on-boarding, maintenance, consulting, report validation, and final report delivery. No platform or subscription fees are imposed.
Commence your bug bounty program or Warden journey by filling out our web form or sending us an email that provides detailed information about your project, including the project name, source code, preferred contact method (such as Telegram, Twitter, Discord), the
underlying protocol of your smart contract, and the specific service you are seeking. Our team will handle the subsequent steps in the process..