Security Policy

Bug Bounty

Castle Labs is now offering a Bug Bounty program for security researchers that discover vulnerabilities or exploits in Castle's Solana programs.

Security vulnerabilities or other high-severity vulnerabilities that are successfully reported following the terms of the Bug Bounty program can be eligible for a reward of up to $100,000, depending on severity.

Rewards

Severity	Description	Bounty
Critical	Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures.	10% of the value of the hack up to $100,000.
High	Bugs that could temporarily freeze user funds or incorrectly assign value to user funds.	$10,000 to $25,000 per bug, assessed on a case by case basis
Medium/Low	Bugs that don't threaten user funds	$1,000 to $5,000 per bug, assessed on a case by case basis

Severity

Description

Bounty

Critical

Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures.

10% of the value of the hack up to $100,000.

High

Bugs that could temporarily freeze user funds or incorrectly assign value to user funds.

$10,000 to $25,000 per bug, assessed on a case by case basis

Medium/Low

Bugs that don't threaten user funds

$1,000 to $5,000 per bug, assessed on a case by case basis

The severity guidelines are based on Immunefi's classification system.

Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case by case basis.

Submission

Please message @charlie_you on Telegram or send an email to [email protected] with a detailed description of the attack vector. For critical and high bugs, we require a proof of concept done on a privately deployed contract. We will reach back out in 1 business day with additional questions or next steps on the bug bounty.

Scope

The Castle Vault Solana program: https://github.com/castle-finance/castle-vault/tree/dev/programs/castle-vault

Terms

The vulnerability:
1. Must be first reported to Castle Labs exclusively.
2. Must not be publicly shared before reporting to Castle Labs.
3. Must not be publicly shared during Castle Labs’ investigation and fix.
4. Must be reproducible by Castle Labs.
5. Should only be publicly disclosed if agreed upon after bug resolution.
You must be the first person to report this vulnerability.
You must not maliciously exploit the vulnerability in any way after discovery.
You must not be subject to United States sanctions or live in any U.S.-embargoed country.

PreviousURLs and Addresses

Last updated 2 years ago