Responsible Disclosure

Hack our platform. Get paid.

We eat our own dog food. Vibranium Audits runs a public bug bounty on its own platform, infrastructure, and audit-report verification system. Find a real bug, get paid in USDC within 14 days of triage.

🏆 Up to $25,000 per Critical finding

Severity → payout

Payouts are determined by the severity of the verified finding, calibrated to industry-standard rubrics (CVSS-adapted impact + likelihood, mapped to OWASP Web Top 10 and SWC Registry where applicable).

SeverityWhat qualifiesBounty
CRITICALRemote code execution on our infrastructure; mass exfiltration of audit reports, client data, or credentials; ability to forge a valid Vibranium audit signature.$10,000 – $25,000
HIGHAuthentication bypass; horizontal privilege escalation to other clients' data; XSS with session-token theft on logged-in admin panel.$3,000 – $8,000
MEDIUMCSRF on sensitive actions; IDOR exposing non-public report metadata; SSRF without internal-network access.$500 – $2,000
LOWSelf-XSS, missing security headers with no demonstrable impact, rate-limit bypasses, information disclosure of public-by-design data.$50 – $250
SWAGBest-practice reports, low-impact findings, hardening suggestions accepted into our threat model.Swag + HoF

Scope

Be precise. Submissions outside scope will be closed without a bounty.

✅ In scope

  • vibraniumaudits.com and all subdomains
  • app.vibraniumaudits.com client dashboard
  • api.vibraniumaudits.com public + authenticated endpoints
  • Audit-report verification endpoints and signature validation
  • The N.A.O.M.I.E. waitlist platform
  • Our public GitHub organisation infrastructure
  • Our own Solidity tooling published under the VibraniumAudits org

❌ Out of scope

  • Smart contracts of clients we have audited (report those directly to the client)
  • Third-party services we depend on (Webflow, Crisp, Calendly, Brandfetch, Cloudflare)
  • Social engineering of staff or clients
  • Physical attacks, theft of devices, dumpster-diving
  • DoS / DDoS / volumetric attacks of any kind
  • Rate-limit bypasses with no security impact
  • Self-XSS that requires the victim to paste code into the dev console
  • Findings only reachable via outdated browsers or unsupported configurations

How to submit

Fast triage. Clear status. Bounty wired in USDC within 14 days of acceptance.

1

Find a bug

Hack against our public surface (in-scope items). Don't touch other people's data.

2

Write it up

Title, severity estimate, reproduction steps, impact, proof of concept, suggested fix. Be precise.

3

Email security

Send to security@vibraniumaudits.com (PGP key on request). We acknowledge within 24h.

4

We triage

Initial triage within 3 business days. We classify severity using our public rubric and reply with a decision.

5

Fix & verify

We patch in production. You re-verify the fix. We agree the final severity together.

6

Get paid

Bounty paid in USDC on Polygon or Base within 14 days of fix confirmation. Hall of Fame entry awarded.

Programme rules

The boring-but-important stuff. Submissions that don't follow these rules are not eligible for a bounty.

Researchers must:

  • Disclose responsibly: report to us first, give us 90 days to fix before any public disclosure. We will not threaten legal action against researchers who follow this policy.
  • Stay in scope: only test in-scope assets. Do not touch other clients' data, other clients' contracts, or third-party services.
  • One report, one bug: file separate reports for separate issues. Don't chain unrelated findings together to inflate severity.
  • No automated dumping: if your tooling generates 200 low-severity reports, we won't pay for any of them. Use judgement.
  • No live exploitation: demonstrate the bug, screenshot the impact, then stop. Do not exfiltrate, modify, or destroy data.
  • Don't post publicly first: Twitter threads, Mirror posts, conference talks before our acknowledgement disqualify the finding.
  • First valid reporter wins: if two researchers report the same issue, the bounty goes to the first complete, reproducible report received.
  • Be human: we work with you, you work with us. Threats, harassment, or extortion attempts forfeit all bounties.

Hall of Fame

Researchers who have responsibly disclosed verified findings on the Vibranium platform. Public credit by request — we respect handles.

The Hall of Fame is open for its first entries.

Submit a verified finding to be listed here — your handle, role, and finding tier.

Ready to test our defences?

Read the rules, find a real bug, get paid in USDC. We triage every submission within 3 business days.

Email security@vibraniumaudits.com See our methodology