Castle Finance
  • Welcome to Castle 🏰
  • Getting Started
    • Castle App
    • Realms Integration for DAOs
    • Wallet View
  • Products
    • Vault: Token Savings Account
  • Technical Guides
    • SDK
    • Program
    • URLs and Addresses
  • Security Policy
  • Links
    • We are Hiring!
    • Website
    • Blog
    • Twitter
    • Github
Powered by GitBook
On this page
  • Bug Bounty
  • Rewards
  • Submission
  • Scope
  • Terms

Security Policy

PreviousURLs and Addresses

Last updated 3 years ago

Bug Bounty

Castle Labs is now offering a Bug Bounty program for security researchers that discover vulnerabilities or exploits in Castle's Solana programs.

Security vulnerabilities or other high-severity vulnerabilities that are successfully reported following the terms of the Bug Bounty program can be eligible for a reward of up to $100,000, depending on severity.

Rewards

Severity
Description
Bounty

Critical

Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures.

10% of the value of the hack up to $100,000.

High

Bugs that could temporarily freeze user funds or incorrectly assign value to user funds.

$10,000 to $25,000 per bug, assessed on a case by case basis

Medium/Low

Bugs that don't threaten user funds

$1,000 to $5,000 per bug, assessed on a case by case basis

The severity guidelines are based on 

Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case by case basis.

Submission

Please message or send an email to with a detailed description of the attack vector. For critical and high bugs, we require a proof of concept done on a privately deployed contract. We will reach back out in 1 business day with additional questions or next steps on the bug bounty.

Scope

The Castle Vault Solana program:

Terms

  • The vulnerability:

    1. Must be first reported to Castle Labs exclusively.

    2. Must not be publicly shared before reporting to Castle Labs.

    3. Must not be publicly shared during Castle Labs’ investigation and fix.

    4. Must be reproducible by Castle Labs.

    5. Should only be publicly disclosed if agreed upon after bug resolution.

  • You must be the first person to report this vulnerability.

  • You must not maliciously exploit the vulnerability in any way after discovery.

  • You must not be subject to United States sanctions or live in any U.S.-embargoed country.

Immunefi's classification system.
@charlie_you on Telegram
[email protected]
https://github.com/castle-finance/castle-vault/tree/dev/programs/castle-vault