# Security Policy ## Bug Bounty Castle Labs is now offering a Bug Bounty program for security researchers that discover vulnerabilities or exploits in Castle's Solana programs. Security vulnerabilities or other high-severity vulnerabilities that are successfully reported following the terms of the Bug Bounty program can be eligible for a reward of up to **$100,000**, depending on severity. ### Rewards | Severity | Description | Bounty | | ---------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | | Critical | Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures. | 10% of the value of the hack up to $100,000. | | High | Bugs that could *temporarily* freeze user funds or incorrectly assign value to user funds. | $10,000 to $25,000 per bug, assessed on a case by case basis | | Medium/Low | Bugs that don't threaten user funds | $1,000 to $5,000 per bug, assessed on a case by case basis | The severity guidelines are based on [Immunefi's classification system.](https://immunefi.com/severity-updated/) Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case by case basis. ### Submission Please message [@charlie\_you on Telegram ](https://t.me/charlie_you)or send an email to with a detailed description of the attack vector. For critical and high bugs, we require a proof of concept done on a privately deployed contract. We will reach back out in 1 business day with additional questions or next steps on the bug bounty. ### Scope The Castle Vault Solana program: ### Terms * The vulnerability: 1. Must be first reported to Castle Labs exclusively. 2. Must not be publicly shared before reporting to Castle Labs. 3. Must not be publicly shared during Castle Labs’ investigation and fix. 4. Must be reproducible by Castle Labs. 5. Should only be publicly disclosed if agreed upon after bug resolution. * You must be the first person to report this vulnerability. * You must not maliciously exploit the vulnerability in any way after discovery. * You must not be subject to United States sanctions or live in any U.S.-embargoed country. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.castle.finance/security-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.