Security Policy
Castle Labs is now offering a Bug Bounty program for security researchers that discover vulnerabilities or exploits in Castle's Solana programs.
Security vulnerabilities or other high-severity vulnerabilities that are successfully reported following the terms of the Bug Bounty program can be eligible for a reward of up to $100,000, depending on severity.
Severity | Description | Bounty |
---|---|---|
Critical | Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures. | 10% of the value of the hack up to $100,000. |
High | Bugs that could temporarily freeze user funds or incorrectly assign value to user funds. | $10,000 to $25,000 per bug, assessed on a case by case basis |
Medium/Low | Bugs that don't threaten user funds | $1,000 to $5,000 per bug, assessed on a case by case basis |
Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case by case basis.
Please message @charlie_you on Telegram or send an email to [email protected] with a detailed description of the attack vector. For critical and high bugs, we require a proof of concept done on a privately deployed contract. We will reach back out in 1 business day with additional questions or next steps on the bug bounty.
The Castle Vault Solana program: https://github.com/castle-finance/castle-vault/tree/dev/programs/castle-vault
- The vulnerability:
- 1.Must be first reported to Castle Labs exclusively.
- 2.Must not be publicly shared before reporting to Castle Labs.
- 3.Must not be publicly shared during Castle Labs’ investigation and fix.
- 4.Must be reproducible by Castle Labs.
- 5.Should only be publicly disclosed if agreed upon after bug resolution.
- You must be the first person to report this vulnerability.
- You must not maliciously exploit the vulnerability in any way after discovery.
- You must not be subject to United States sanctions or live in any U.S.-embargoed country.
Last modified 1yr ago