# Bug Bounty

### Bounty Program <a href="#reporting" id="reporting"></a>

{% hint style="warning" %}
**Important Notice!**

Please note that we do *not* accept vulnerability claims based on common Web2 pentest findings such as XSS or DMARC issues. The bug bounty program is strictly focused on the Web3 side of the protocol. We frequently receive submissions based on generic "online pentest" scans — these will unfortunately be rejected.
{% endhint %}

We encourage the community to audit our open source code; we also encourage the responsible disclosure of any issues. The bug bounty program is intended to recognize the value of working with the community of independent security researchers and sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

Piteas offers substantial rewards for discoveries that can prevent the loss of assets, the freezing of assets, or harm to users.

To be eligible a bounty, a bug must have not been previously known by the Piteas team or publicly disclosed by anyone. All Piteas smart contracts and interactions (including bots and front end code) are in scope.

The amount of compensation will vary depending on bug severity. Reward amounts typically correspond to severity in the following manner. The reward currency can be discussed on a case by case basis.

| Severity |                 Reward |
| -------- | ---------------------: |
| Low      |                   $250 |
| Medium   |                 $1,000 |
| High     |                $10,000 |
| Critical | 0-10% of funds at risk |

Severity is calculated according to the [OWASP](https://owasp.org/www-project-risk-assessment-framework/) risk rating model based on Impact and Likelihood.

<figure><img src="/files/xbgEwesHm6ayBoch1Xm1" alt=""><figcaption></figcaption></figure>

### Submissions <a href="#submissions" id="submissions"></a>

Please DM your submissions on our social media channels or Telegram.

The submission must include clear and concise steps to reproduce the discovered vulnerability. The following layout of the bug bounty report is encouraged:

* Description: Describe at a high level the bug with links to problematic code
* Attack: Detailed instructions for exploiting the bug
* Mitigation: How to resolve the bug
* Suggested risk rating: The recommended severity of this bug


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.piteas.io/support/bug-bounty.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.