BUG BOUNTY

friend.tech Bug Bounty


Overview

The security of friend.tech, its smart contracts, and its web app are of utmost importance to us. For that reason, we have an official friend.tech bug bounty program (the ”program”) to incentivize responsible bug disclosure.

Rewards will be allocated based on the severity of the bug disclosed and assets at risk. Rewards can be up to 1,000,000 USDC.


Scope

The program includes vulnerabilities and bugs in:

However, if you find a bug outside of these, which places friend.tech users' funds at risk, the team can consider the issue to be in-scope for our bounty.

The following are not within the scope of the program:
  • Third party contracts that are not under the direct control of friend.tech
  • Bug reports covering previously reported bugs
  • Bugs in third party contracts or applications that use friend.tech contracts
  • Bugs related to integrated services outside of the code integrating them with friend.tech website
  • Bugs that require privileged roles or access
  • Social engineering attacks


Rewards

The program includes the following 4 level severity scale:

  • Critical
    • Issues that could impact numerous users and have serious reputational, legal, or financial implications. An example would be being able to lock contracts permanently or take funds from all users.
  • High
    • Issues that impact individual users where exploitation would pose reputational, legal, or moderate financial risk to the user.
  • Medium
    • The risk is relatively small and does not pose a threat to user funds.
  • Low/Informational
    • The issue does not pose an immediate risk but is relevant to security best practices.

Rewards will be given based on the above severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of friend.tech. You can find out more about this scale at the OWASP risk rating methodology page.


Disclosure

Any vulnerability or bug discovered must be reported only to the following email: security+bugbounty@friend.tech.

The vulnerability must not be disclosed publicly or to any other person, entity, or email address before friend.tech has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.

A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:

  • The conditions on which reproducing the bug is contingent.
  • The steps needed to reproduce the bug or, preferably, a proof of concept.
  • The potential implications of the vulnerability being abused.


Eligibility

To be eligible for a reward under this program, you must:

  • Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program.
  • Be the first to disclose the unique vulnerability to security+bugbounty@friend.tech, in compliance with the disclosure requirements.
  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this program).
  • Not publicize a vulnerability in any way, other than through private reporting to us.
  • Make a good faith effort to avoid privacy violations, destruction of data, interruption, or degradation of any of the assets in scope.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this program.
  • Not engage in any unlawful conduct when disclosing the bug to security+bugbounty@friend.tech, including through threats, demands, or any other coercive tactics.
  • Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
  • Provide required KYC information, including, but not limited to:
    • Full name
    • Date of birth
    • Proof of address (either a redacted bank statement with address or a recent utility bill)
    • Copy of Passport or other Government issued ID
  • Not be subject to US sanctions or reside in a US-embargoed country (must pass OFAC screening and cannot be on the SDN list).
  • Not be one of our current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question.
  • Comply with all the eligibility requirements of the program.

Other Terms

By submitting your report, you grant friend.tech any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.

The terms and conditions of this program may be altered at any time.