The Augur Bounty Program provides public bounties for the disclosure of vulenerabilties and bugs. We call on all community members, security engineers and hackers to help identify bugs in the Augur contracts and codebase. Rewards are issued 1 point to 1 USD.
Bounty payment amounts are decided by assessing severity.
We calculate the severity level according to the OWASP risk rating model based on both impact and likelihood:
You are ineligible for bounty rewards if the vulnerability submitted is already known by the Augur team, if it's publicly disclosed prior to the completion of the bounty process with the Augur team, or if it's found to have been exploited on the main Ethereum network.
Deployed versions of Augur's contracts can be found on Rinkeby and Ropsten. For Augur.js, the Augur client and Augur Node, submissions must be valid against their master branches.
Frequently Asked Questions
How are bounties paid out?
Rewards are paid out in BTC, ETH, or REP after the submission has been validated by the Forecast Foundation team. Proof of identity is needed.
Can I submit a bug report anonymously?
Of course! You will not be eligible for BTC/ETH/REP rewards. However, you can donate your reward to charity or another cause.
Who is ineligble for the bounty program?
Any developers, employees or other parties that are paid by the Forecast Foundation, directly or indirectly, are ineligible for bounty rewards.
Who will review my submission?
Determination of eligibility, score, and all related terms of a bounty payout are at the sole and final discretion of the Forecast Foundation.
Where can I discuss the bounty program?
You can send us an email at [email protected], or join the #bounties channel in our Discord.
Do you have a PGP key?
Yes, it can be found at augur.net/pgp.txt.