V4 Bug Bounty Program
The security of CAP and its smart contracts are of utmost importance to us. For that reason, we’ve created an official CAP Bug Bounty Program to incentivize responsible disclosure of vulnerabilities.
Rewards will be allocated based on the severity of the bug disclosed and evaluated for rewards up to 100,000 USDC per bug.
The program includes vulnerabilities and bugs in any deployed CAP V4 contract. These include those within this GitHub repository. Please note that this may be subject to change and any new code will be announced on our Twitter page.
However if you find a bug in a CAP smart contract outside of these repositories, where user funds are at risk, the team will consider the issue to be in-scope for our bounty.
The following are not within the scope of the program:
- Third party contracts that are not under the direct control of CAP
- Issues already listed in the audits for the contracts above
- Bugs in third party contracts or applications that use CAP contracts
- The CAP web interface or other non contract related materials
Importantly, any bug found in official audits of the contracts is not eligible. As of this writing, an initial audit is underway and expected to be complete by mid-February 2023. Reported bugs are not eligible for payment before this audit is complete.
The program includes the following 3 level severity scale:
- Critical Issues that could impact numerous users and have serious financial implications. An example would be being able to lock contracts permanently or take funds from all users.
- High Issues that impact individual users where exploitation would pose moderate financial risk to the user.
- Medium Issues where the risk is relatively small and does not pose a threat to user funds.
Rewards will be given based on the above severity as well as the likelihood of the bug being triggered or exploited, to be determined by CAP Labs.
Any vulnerability or bug discovered must be reported directly to our core developer on Discord (username: κappa#8972). An acknowledgement of receipt will be given within 24 hours.
The vulnerability must not be disclosed publicly or to any other person, entity or email address before our core developers have been notified, fixed the issue, and granted permission for public disclosure. Disclosure must be made within 24 hours following discovery of the vulnerability.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:
- The conditions on which reproducing the bug is contingent.
- The steps needed to reproduce the bug or, preferably, a proof of concept.
- The potential implications of the vulnerability being abused.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they so choose.