Mediation Process for Bounties

At Cantina, we strive to create a collaborative environment where researchers and clients can work together to enhance security. Our mediation process is designed to handle disputes that arise during the evaluation of bug bounty submissions. This document outlines the steps involved in the mediation process, the roles of each party, and the guidelines for resolving disagreements.

Mediation Process

  1. Submission of Finding

    • Researcher: Submits a finding through the Cantina platform.

    • Client: Reviews the finding and provides an initial decision, including whether the finding is accepted, rejected, or modified in severity.

  2. Researcher Disagrees with Client Decision

    • If the researcher disagrees with the client’s decision, they may escalate the finding for mediation by Cantina.

  3. Escalation to Cantina

    • The researcher initiates the mediation process by submitting a request on the relevant report thread.

    • Direct communication between the researcher and the client must cease at this stage.

  4. Mediation and Solution Proposal

    • Cantina Triaging Team: Reviews the submitted finding and all report interactions.

    • Proposal: Provides a fair and neutral assessment based on triage criteria and platform norms.

    • Decision: Documents the assessment with a recommendation on validity and severity.

  5. Final Client Decision

    • The client retains the final say on implementation and payout, but Cantina may follow up to ensure platform standards are met.

Handling Client Disagreements

Cantina’s mediation process is designed to resolve disputes constructively and fairly. While clients retain the final decision on bounty and implementation, we assess all escalated cases for adherence to program scope, triage guidelines, and platform norms.

Although Cantina's proposal is non-binding, in case of technically incorrect rejections or downgrades, Cantina may initiate a private review and engage directly with the client to ensure expectations are aligned and platform integrity is upheld. These situations are handled case by case basis.

Our priority is to protect trust between researchers and programs, and we reserve the right to intervene if necessary to maintain a fair ecosystem.

Respectful Public Disclosure

We encourage all parties to resolve disputes amicably. Public disclosure must follow the client’s disclosure policy. If no policy is defined, Cantina will coordinate a mutually acceptable disclosure path.

Communication Guidelines

  • During Mediation: All direct communication between the researcher and client should cease. All updates must occur within the Cantina report thread.

  • Status Updates: Researchers may request status updates in the relevant bug report thread.

  • Duration: The mediation process may take up to 14 days from the initiation of the mediation request to its resolution.

Out-of-Scope Findings

Reports on assets or vulnerability types that were not explicitly in scope when the issue was discovered are ineligible for rewards.

No-Fix Decisions

When a submission results in no code changes or documentation updates, there may not be a monetary reward. There could be a potential to challenge the no-fix decision if a need to re-evaluate the risk involved is agreed upon.

Code of Conduct Violations

If either party breaches the program’s Code of Conduct—whether during testing, report creation, or follow-up—we may rule in favor of the other party.

PreviousBounty Severity ClassificationNext✅ Cantina Bug Bounty Coverage

Last updated