PoC Required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table. The final classification however takes into consideration the likelihood of the impact being achieved based on the table below. When submitting a bug report, select the original assigned impact level, but please be aware that its severity level may be reassigned based on the likelihood according to this table.
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| High Probability | MEDIUM | HIGH | CRITICAL |
| Medium Probability | LOW | MEDIUM | HIGH |
| Low Probability | LOW | LOW | MEDIUM |
In addition to Immunefi’s Vulnerability Severity Classification System, Polygon classifies vulnerabilities using the Common Vulnerability Scoring System (CVSS). In case of discrepancy, final determination is done by Polygon.
Impacts to other assets
Hackers are encouraged to submit issues outside of those outlined Impacts and Assets in Scope.
If Whitehats can demonstrate a critical impact of code in production for an asset not in scope, Polygon Labs encourages you to submit your bug report using the “primacy of impact exception” asset as outlined below.
Direct loss of funds
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Protocol insolvency
Loss of bridge or staking funds
Temporary freezing of funds
Theft of user fees
Transient consensus failures
Network not being able to confirm new transactions (total network shutdown)
Denial of service attacks
Denial of service attacks
Temporary freezing of funds for less than 1 week
Out of scope
- Broken link hijacking is out of scope
- Loss of funds held by third parties
- Best practice critiques
- Attacks using vulnerable, old or deprecated libraries, that are not exploitable
Smart Contracts and Blockchain/DLT
- Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
- Previously known vulnerabilities in Tendermint and or/any other fork of these.
- Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
- Attacks using vulnerable, old or deprecated libraries, that are not exploitable
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers