Skip to main content

Bug Bounty Participation

At Cantina, we prioritize the security and integrity of our ecosystem. Our Bug Bounty program aims to foster collaboration between researchers and clients to identify and resolve vulnerabilities before they can be exploited. The guidelines and classification system outlined below ensure that vulnerabilities are appropriately categorized and that rewards are fairly distributed.

Bounty Severity Classification

Overview

The Severity Classification System provides a standardized framework for evaluating and categorizing vulnerabilities based on their impact and likelihood of exploitation. This system is designed to ensure consistency and transparency in assessing risks across our programs.
This classification serves as a general guide and may be customized depending on the individual program or client requirements. Please review the respective program’s home page for specific criteria.

Severity Levels

Vulnerabilities are classified into four distinct severity levels:
Impact / LikelihoodHighMediumLow
HighCriticalHighMedium
MediumHighMediumLow
LowMediumLowInformational

Severity Definitions

  1. Critical
    • Impact: Catastrophic damage to the protocol or its users.
    • Examples: Severe loss of assets, permanent system disruption, or widespread compromise.
    • Likelihood: High, minimal or no user interaction required.
  2. High
    • Impact: Significant damage to the protocol or its users, but not catastrophic.
    • Examples: Notable financial loss or significant harm to user trust.
    • Likelihood: Medium to high, some user interaction or specific conditions required.
  3. Medium
    • Impact: Moderate damage, typically affecting specific users or conditions.
    • Examples: Limited financial damage or moderate system impact.
    • Likelihood: Medium, requiring specific conditions or user interaction.
  4. Low
    • Impact: Minor damage, often limited to non-critical functionality.
    • Examples: Minimal risk or areas for improvement.
    • Likelihood: Low, requiring significant user interaction or unlikely conditions.

Scope and Considerations

The scope of vulnerabilities varies by component type:

Blockchain

  • Critical: Network-wide issues, permanent asset loss, or hard fork requirements.
  • High: Temporary disruptions or chain splits.
  • Medium: Resource spikes or localized node shutdowns.
  • Low: Minor disruptions or fee modifications.

Smart Contracts

  • Critical: Direct theft or governance manipulation.
  • High: Theft of unclaimed yield, unauthorized minting.
  • Medium: Griefing, gas theft.
  • Low: Non-critical behavior or minor issues.

Websites and Apps

  • Critical: Remote code execution, unauthorized access.
  • High: Sensitive data disclosure, subdomain takeovers.
  • Medium: Open redirects, HTML injection.
  • Low: Minor UI/UX issues.

Out of Scope

Vulnerabilities that are out of scope include:
  • Theoretical vulnerabilities without a proof of concept.
  • Social engineering, phishing, or issues requiring physical access.
  • Denial of Service (DoS) attacks without impact.

Testing Guidelines

To ensure responsible testing:
  • Use local forks instead of public chains.
  • Avoid actions that may disrupt network integrity.
  • Do not access or modify data that does not belong to you.
  • Provide detailed reports with proof of concept and steps to reproduce.

Eligibility

To qualify for a bounty, submissions must meet the following criteria:
  • Report a previously unknown, non-public vulnerability within the program’s scope.
  • Be the first to disclose the vulnerability.
  • Provide sufficient information to reproduce and resolve the issue.
  • Avoid exploiting the vulnerability or disclosing it publicly.
  • Comply with all program rules and guidelines.

Prohibited Actions

The following actions are prohibited:
  • Testing on public mainnet/testnet deployments.
  • Public disclosure of vulnerabilities without prior consent.
  • Exploitation of vulnerabilities for personal gain.
  • Engaging in illegal activities or coercive tactics.

Mediation Process for Bounties

At Cantina, we foster a collaborative environment where researchers and clients can work together to resolve disputes in a fair and transparent manner.

1. Submission of Finding

  • Researcher: Submits a finding.
  • Client: Reviews the finding and provides feedback.

2. Disagreement

Disagreements may arise over:
  • Severity assessment.
  • Finding validity.

3. Escalation to Cantina

If a resolution cannot be reached, either party can escalate the finding to Cantina for mediation.

4. Triage and Solution Proposal

Cantina’s triaging team will:
  • Review the finding.
  • Propose a fair solution based on the guidelines.

5. Final Decision

The client has the final say on the resolution.

Client Rejection Policy

If a client rejects more than five findings in one year that we believe are valid, Cantina reserves the right to:
  • Conduct a thorough review of the client’s participation.
  • Take necessary actions to ensure platform integrity.

Communication Guidelines During Mediation

  • Direct Communication: Cease direct communication between parties during mediation.
  • Reporting: Communicate all concerns to Cantina.
  • Status Updates: Researchers can request updates through the relevant bug report thread.
By adhering to these guidelines and classifications, we ensure a fair and transparent process that benefits both researchers and clients, and fosters the growth of a secure and resilient ecosystem.