Security is not to be taken lightly. We completed two security audits on Sparta, and Delphi audit is ongoing (shoutout to Certik!). But even 100 audits can’t guarantee that there are no vulnerabilities or bugs — some things remain undiscovered until a hacker finds an exploit. With this in mind, we are announcing the Akropolis Bug Bounty program and welcoming white-hats & developers to check our codebase.
The scope of this Bug Bounty program is to identify bugs and vulnerabilities not found during previous or ongoing audits. It covers all core smart contracts deployed on mainnet:
Rewards will be paid in $AKRO (or stablecoins) based on the severity of vulnerabilities/bugs identified. Rewards will be decided on a case by case basis and the bug bounty program, terms, and conditions are at the sole discretion of Akropolis. Please reach out to Yana on [email protected] or in our Telegram or Discord if you have any questions.
What is not included in the scope of the bug bounty program:
- Frontend bugs. We have frontend sprints aimed at improving the UI/UX experience, fixing possible bugs in data visualization, etc. While we greatly appreciate such reports from the community members, there are no rewards for that (except for our sincere gratitude).
- Contracts not included in the above list. That’s pretty simple — we’re concentrating on products mentioned above primarily — thus bug bounty includes only them.
- Bugs of third party solutions. We monitor third-party integrations in our product and will act accordingly with the changes/bugs found there, but we can’t control code that is not ours. Please report such bugs to the development teams of corresponding projects.
- Already reported bugs. Development is a continuous process — we will be covering our code with tests to find bugs/exploits & conducting audits as code evolves. Bugs found by us or our auditors are not included in the Bug Bounty scope.
- A bug should be described for the first time and should not have been reported before. Duplicated issues are not eligible for a reward. The first submission would be the eligible one. Please do double-check before submitting.
- Bugs that were not found or described by security auditors. Please do check the security audit reports available in our Github before submitting.
- A bug report should have a detailed description & scenario for reproduction, as well as potential suggestions on how it can be fixed.
Please note that attacks carried out using methods of social engineering, phishing, fraud and deception, as well as physical attempts to disrupt the operation of the application (physical impact on the servers) will not be counted and will be punished in accordance with the rules of the Bug Bounty Program.
Allow us time to review and remediate any findings before public disclosure. More details are coming in the following days — we will be setting up an additional page on the website or wiki and Github with all the scope, rules & terms.