Last updated: 21 November 2023
BlockWarden has a set of rules that govern project and warden participation on its bug bounty marketplace. These rules exist in addition to the rules that are listed on each bug bounty program page.
Violation of these rules can result in a temporary suspension or permanent ban from the BlockWarden website at the sole discretion of the BlockWarden team.
For wardens, this may also result in: 1) forfeiture and loss of access to bug reports, and 2) zero payout.
For projects, this may also result in: 1) being removed from the BlockWarden website, and 2) publication of this removal in the case of SLA breakage.
Please note that BlockWarden has no tolerance for spam/low-quality/incomplete bug reports, beg bounty behaviour, misrepresentation of assets and severity, and refusal to pay wardens.
These rules can be changed at any time.
Prohibited Behaviour for Wardens
- Any testing with mainnet or public testnet contracts. Testing on mainnet or public testnet is grounds for an immediate and permanent ban
- Misrepresenting assets in scope: claiming that a bug report impacts/targets an asset in scope when it does not
- Misrepresenting severity: claiming that a bug report is critical when it clearly is not
- Automated testing of services that generates significant amounts of traffic
- Exploiting/attacking or threatening to exploit/attack a project on BlockWarden
- Whitehacking with intent to save user or protocol funds without the express written consent of the project which will be played out in the BBP.
- Attempting phishing or other social engineering attacks against BlockWarden and/or projects on BlockWarden
- Contacting non-support staff at BlockWarden about your bug report
- Harassment, i.e., excessive, abusive, or bad faith communication
- 'Beg bounty' behaviour, i.e. begging for a bounty reward that is not owed to the warden based on the terms of the bug bounty program
- Requesting gas fees from BlockWarden or projects
- Disputing a bug report in the dashboard once it has been paid or marked as closed, with the exception of requesting mediation
- Advertising or promotion of services
- Attacks based on personal characteristics
- Impersonation of other wardens
- Obscene or extremely offensive usernames
- Threats of violence
- Threatening to publish or publishing people’s personal information without their consent
- Extortion/blackmail or threats of extortion/blackmail
- Posting illegal content
- Reporting a bug that has already been publicly disclosed
- Creating multiple accounts on the BlockWarden website
- Publicly disclosing a bug report--or even the existence of a bug report for a specific project--before it has been fixed and paid
- Failing to abide by the policies set by projects, which determines what wardens are allowed to publish about their bug reports
- Placeholder bug submissions, i.e., bugs that have a vague title, very few details, and no reproducible steps
- Submitting a bug report that is not substantially your own (co-submitting with another hacker with their consent is permitted)
- Submitting spam/very low-quality bug reports and submitting information through our platform that is not a bug report
- Submitting a bug report in a language other than English
- Submitting a bug report with no PoC or an incomplete PoC if it is required by the project's bug bounty program
- Routing around BlockWarden and communicating with a project directly - negotiations outside of the BlockWarden website are considered invalid
- Submitting bugs via email or any channel other than the BlockWarden website
- Submitting AI-generated/automated scanner bug reports
- Submitting fixes to a project's repository without their express consent
- Unauthorised disclosure or access of sensitive information beyond what is necessary to submit the report
- Mediation request abuse
- Promoting any of the behaviour listed above
Prohibited Behaviour for Projects
- Mediation request abuse
- Abusing the "no fix, no pay" rule by stealth fixing the bug later without providing full payment to the wardens
- Routing around BlockWarden and communicating with a warden directly - negotiations outside of the BlockWarden website are considered invalid
- Claiming a bug report is a known or duplicate issue without clear evidence
- Paying wardens who submit bug reports via BlockWarden without notifying BlockWarden
- Publicly disclosing a bug report before you have both fixed the issue and paid the warden
- Soliciting wardens on BlockWarden for commercial projects or private bug bounty programs
- Attacks based on personal characteristics
- Bad faith communication
- Closing a report without providing detailed information and/or evidence as to why it should be closed
- Promoting any of the behaviour listed above
- Refusing to provide wardens or BlockWarden with necessary information about their project for invoicing purposes if that information is available
- Breaking SLAs regarding responsiveness and bug report resolution
Behavioral Code
- Be ethical
- Be respectful and considerate
- Be professional
- Be patient
- Be privacy conscious
Scope and Enforcement
The team will take all reasonable actions to ensure the successful execution of BlockWarden’s mission and the maximum effectiveness of the project. All material in official project spaces is subject to the rules, and as such, can be deleted, modified, or rejected by the
team if it is found to be in violation of the rules. In repeated or severe cases, the team may exclude users from the BlockWarden bug bounty marketplace and/or its project spaces on a temporary or permanent basis.