Bug Bounty Program

Hord offers financial rewards to any security professional for identifying and reporting valid vulnerabilities and exploits on our app and domains.

One of the foundations of decentralized security is community-driven auditing. We encourage you to identify bugs, penetration vectors, front-end vulnerabilities, financial attack vectors, and other issues that may risk or destabilize the network and its operations.

How it Works

To report a potential bug, please fill out the form below with detailed and comprehensive information.

Our team reviews and prioritizes reported bugs and implements fixes accordingly. Please allow us time to correct an issue before making it public.

Rewards

Rewards are proportional to the severity of the reported issue. Upon receipt of the completed form, our development team assigns a severity score to the problem and prioritizes it accordingly.

The assessment of the reported bug will follow the OWASP risk rating model based on the impact and likelihood of the reported issue:

The reward amount per report is determined by the following factors:

Demonstration of how the issue may be exploited to maximum effect.
The severity of the issue.
Issue complexity.
Reproducibility of the issue.
Existence of a Pull request with a valid fix of the issue.

Stable tokens or an equivalent amount in HORD tokens will be rewarded for valid bug reports. We might even pay higher amounts if we find the bug supercritical.

Below is a list of the approximate maximum amounts distributed, listed by order of bug severity:

Low
up to 100 USD
Medium
up to 500 USD
High
up to 2,000 USD
Critical
up to 5,000 USD

Stable tokens or an equivalent amount in HORD tokens will be rewarded for valid bug reports. If we find the bug supercritical and the report valid, we might pay even higher amounts.

We encourage you to uncover issues with the following characteristics:

Contracts
Logic flaws/security issues / financial breaches.
Contracts
Possible exploits and vulnerabilities - both architecture and implementation.
Contracts
Upgradability and versions of schema attack vectors.
API
Exploits, data breaches, leakages, permissions breaches, wrong behavior.
Hord Protocol
Bugs, vulnerabilities, exploits, security breaches, cryptography errors.
Front-End
Possible exploit by inserting malicious code, XSS attacks, clickjacking attacks or any vulnerabilities during Web3 interactions.

Eligibility

The first reporter who brings attention to a valid issue will be rewarded. Hord’s team might also choose to reward the first few people signaling the same problem.

The following will not meet the eligibility threshold for the bug bounty:

Issues on a test environment that have just been deployed and are work-in-progress by the Hord devs
Any issues on 3rd party sites/apps unless they are directly linked to an exploit or bug specific to Hord
Issues depending on or arising from physical attacks
Game-theoretic issues
Known Issues
Issues affecting outdated or unpatched browsers
Issues that have not been thoroughly investigated and comprehensively reported
Issues that cannot be reproduced

We ask and encourage the community to report any bugs, even if they are not eligible for a reward. A better Hord is a win for all of us :)