Welcome to Reflexer’s Bug Bounty Program. Reflexer is deeply focused on the security of the GEB framework, so we’re calling on our community to help us find any bugs or vulnerabilities. You can submit a bug by emailing [email protected] and earn a reward of up to USD 70,000$. Please see our Scope, Disclosure and Eligibility sections for more details.
This Program is limited to the vulnerabilities affecting the GEB framework in the following contracts and repositories:
The following contracts and repositories are not in the scope of this bounty program:
Vulnerabilities related to the following activities and infrastructure are also outside of the scope of the program:
geb.js and geb-console
Gas APIs and clients
Social engineering of Reflexer staff or contractors
The reward will be received in the USDC token based on the following severity scheme:
An issue that might cause immediate loss of >= 5% of the funds, or may permanently affect the state of a GEB instance.
Very High / High
An issue that might cause immediate loss of < 5% of the funds, or severely damage state of a GEB instance.
An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.
Low / Very Low / Note
An issue that might cause user dissatisfaction or minimal failure.
Any vulnerability or bug must be reported by sending an email to [email protected]
The vulnerability must not be disclosed publicly
The vulnerability must not be disclosed to any person, entity or email address prior to disclosure to [email protected]
The vulnerability must not be disclosed in any other way other than to the [email protected] email
Disclosure must be made promptly after identifying a vulnerability
When disclosing a vulnerability, please include the following information in your email, if possible:
The steps needed to reproduce the bug
Potential implications of the vulnerability being abused
A detailed report of the vulnerability increases the likelihood of a reward and may also increase the amount received.
Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
You must be the first to disclose the unique vulnerability to [email protected], in compliance with the disclosure requirements above.
You must provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
You must not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
You must submit only one vulnerability per submission, unless you need to provide more information related to the impact of the vulnerability.
You must be at least 18 years of age.
You must not be subject to US sanctions or reside in a US-embargoed country.
You must not be one of our current or former employees, vendors, or contractors or a current or former employee of any of those vendors or contractors.
Submissions not following the disclosure policy will not be eligible for a reward.
Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Reflexer.
The GEB documentation can be found here.