🪲Bug Bounties

Receive AQUA for helping us squash bugs

Part of keeping Aquarius’ constant growth is ensuring the protocol is operational, reliable, and consistently performing to the highest standards. Now and then, a bug inside the code or loopholes can cause issues, creating vulnerabilities to the Aquarius protocol.

Bug bounties reward those who find & raise vulnerabilities with the team, allowing fixes to be deployed and safeguarding Aquarius.

In the past, users have addressed potential bugs through governance, but this process is not needed if an issue affects the main goals of Aquarius. We have an allocated Bug Bounty fund tied to the emergency fund, which we use to reward those who find vulnerabilities.

What bugs can result in rewards?

Reward considerations apply to most bugs found that can negatively impact Aquarius. We pay bounties at our discretion, with reward values depending on the severity & complexity of the issue.

While we can consider a lot of different issues for a bounty, the following issues would not come under our scope:

Bugs in any third party platform that interacts with Aquarius
Vulnerabilities already reported and/or discovered by the team or advisors
Any already-reported bugs by others in the community

Vulnerabilities that occur due to any of the following are also outside of the bug bounties scope:

Front end bugs
DDOS attacks
Spamming
Phishing
Compromise or misuse of third-party systems or services.

How should I report potential bugs?

Any vulnerability or bug discovered should be reported via private message to any of the admins of the Telegram, Discord, or Reddit channels or our bug reporting email address report@aqua.network.

The vulnerability must not be disclosed publicly or to any other person, entity, or email address before Aquarius has been notified and a fix deployed. The disclosure of a bug must be made preferably within 24 hours following its discovery. Once fixed, permission will be granted for public disclosure.

The more detailed a vulnerability report, the higher the likelihood of a reward and its value. Please provide as much information about the vulnerability as possible, including:

What conditions cause the bug to occur
The steps needed to reproduce the bug or, preferably, a proof of concept.
The potential implications of the vulnerability being abused.

Anyone who reports a unique, previously unreported, and publicly undisclosed vulnerability that results in a deployed fix by our developers will be recognized publicly for their contribution if they so choose.

Eligibility

To be eligible for a reward under this Program, you must:

Discover a previously unreported, non-public vulnerability that would result in loss of user’s funds or abuse of the Aquarius protocol, which is within the scope of this Program.
Be the first to disclose the unique vulnerability to the Aquarius team in compliance with the disclosure requirements above. If multiple users report similar vulnerabilities within 24 hours, rewards will be split at the discretion of Aquarius.
Provide sufficient information to enable our developers to reproduce and fix the vulnerability.
Not engage in any unlawful conduct when disclosing the bug to Aquarius, including through threats, demands, or any other coercive tactics.
Not exploit the vulnerability in any way, including making it public or obtaining a profit (other than a reward under this Program).
Make a good faith effort to avoid privacy violations, data destruction, interruption, or degradation of the Aquarius protocol.
Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
Not separately submit underlying vulnerabilities caused by a known issue already considered for a bug bounty.
Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
Not be subject to US sanctions or reside in a US-embargoed country.
Not be one of our current or former employees, vendors, contractors, or employees of any of those vendors or contractors.
Comply with all the eligibility requirements of the Program.

Other Terms

By submitting your report, you grant Aquarius all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility, reward amounts, and how such rewards will be paid, are made at our discretion.

Aquarius may alter the terms and conditions of this Program at any time.

PreviousAudits & Bug Bounty Fixes NextClaimable Balances

Last updated 6 months ago

What bugs can result in rewards?

Reward considerations apply to most bugs found that can negatively impact Aquarius. We pay bounties at our discretion, with reward values depending on the severity & complexity of the issue.

While we can consider a lot of different issues for a bounty, the following issues would not come under our scope:

Bugs in any third party platform that interacts with Aquarius

Vulnerabilities already reported and/or discovered by the team or advisors

Any already-reported bugs by others in the community

Vulnerabilities that occur due to any of the following are also outside of the bug bounties scope:

Front end bugs

DDOS attacks

Spamming

Phishing

Compromise or misuse of third-party systems or services.

How should I report potential bugs?

Any vulnerability or bug discovered should be reported via private message to any of the admins of the Telegram, Discord, or Reddit channels or our bug reporting email address report@aqua.network.

The more detailed a vulnerability report, the higher the likelihood of a reward and its value. Please provide as much information about the vulnerability as possible, including:

What conditions cause the bug to occur

The steps needed to reproduce the bug or, preferably, a proof of concept.

The potential implications of the vulnerability being abused.

Eligibility

To be eligible for a reward under this Program, you must:

Discover a previously unreported, non-public vulnerability that would result in loss of user’s funds or abuse of the Aquarius protocol, which is within the scope of this Program.

Be the first to disclose the unique vulnerability to the Aquarius team in compliance with the disclosure requirements above. If multiple users report similar vulnerabilities within 24 hours, rewards will be split at the discretion of Aquarius.

Provide sufficient information to enable our developers to reproduce and fix the vulnerability.

Not engage in any unlawful conduct when disclosing the bug to Aquarius, including through threats, demands, or any other coercive tactics.

Not exploit the vulnerability in any way, including making it public or obtaining a profit (other than a reward under this Program).

Make a good faith effort to avoid privacy violations, data destruction, interruption, or degradation of the Aquarius protocol.

Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.

Not separately submit underlying vulnerabilities caused by a known issue already considered for a bug bounty.

Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.

Not be subject to US sanctions or reside in a US-embargoed country.

Not be one of our current or former employees, vendors, contractors, or employees of any of those vendors or contractors.

Comply with all the eligibility requirements of the Program.

Other Terms

Aquarius may alter the terms and conditions of this Program at any time.