Bug Bounty Program
Overview
Help secure the Monolith protocol and earn rewards by responsibly disclosing security vulnerabilities.Program Scope
In Scope
- Smart contracts in the Monolith protocol
- Frontend interfaces
- API endpoints
- Integration services
Out of Scope
- Third-party dependencies
- Known issues already disclosed
- Social engineering attacks
- DDoS attacks
Reward Structure
Critical Vulnerabilities
- Direct theft of funds
- Permanent loss of funds
- Complete protocol compromise
High Severity
- Temporary loss of funds
- Significant protocol disruption
- Major functionality compromise
Medium Severity
- Limited loss of funds
- Temporary service disruption
- Data exposure without financial impact
Low Severity
- Minor issues
- Edge case problems
- Documentation issues
How to Participate
Step 1: Review Guidelines
Read our disclosure policy and testing guidelines carefully.Step 2: Test Responsibly
- Only test on testnet/mainnet with permission
- Do not perform DoS attacks
- Respect rate limits
- Do not access private user data
Step 3: Report Findings
Send reports to: security@monolith.fi Include:- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fixes (optional)
Step 4: Wait for Response
- Initial response within 48 hours
- Vulnerability validation within 7 days
- Reward payment within 30 days of fix deployment
Disclosure Policy
- We follow responsible disclosure practices
- We commit to not pursuing legal action against good-faith researchers
- We ask that you allow us reasonable time to fix issues before public disclosure
Rules
- No public disclosure without permission
- No exploitation of vulnerabilities for personal gain
- No testing on mainnet without explicit approval
- One report per vulnerability
Contact
For questions about the bug bounty program:- Email: security@monolith.fi
- Discord: #security channel