Bug bounty campaign
Welcome to our Bug Bounty Program. We want Aave protocol to be the best it can be, so we’re calling on our community to help us find any bugs or vulnerabilities. Submit a bug here and earn a reward of up to USD 250,000$. Please see our Rules & Rewards section for more details.
Rules
- Public disclosure of a vulnerability would make it ineligible for a reward.
- Technical knowledge is required for the process.
- Duplicated issues are not eligible for reward. The first submission would be the eligible one.
- If you want to add more information to a provided issue, create a new submission giving reference to the initial one.
- Rewards will be decided on a case by case basis and the bug bounty program, terms, and conditions are at the sole discretion of Aave.
- Rewards will vary depending on the severity of the issue. Other variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
- Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Aave.
- Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
- Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission process unvalid.
- Terms and conditions of the bug bounty process may vary over time.
- Our bug bounty follows a similar approach as Ethereum Bug Bounty. The severity of the issues will be based according to the OWASP risk rating model based on Impact and Likelihood.
- It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be elegible for a reward.
Rewards
The reward will be received in aUSDC token based on the severity scheme following:
Note = Up to $ 100
Very low = Up to $ 500
Low = Up to $ 1,000
Medium = Up to $ 5,000
High = Up to $ 10,000
Very High = Up to $ 50,000
Critical = Up to $ 250,000
Likelihood
Severity
Almost certain | $ 1,000 | $ 5,000 | $ 10,000 | $ 50,000 | $ 250,000 |
Likely | $ 500 | $ 1,000 | $ 5,000 | $ 10,000 | $ 50,000 |
Possible | $ 100 | $ 500 | $ 1,000 | $ 5,000 | $ 10,000 |
Unlikely | $ 100 | $ 100 | $ 500 | $ 1,000 | $ 5,000 |
Almost possible | $ 100 | $ 100 | $ 100 | $ 500 | $ 1,000 |
Very low | Low | Moderate | High | Severe |
Likelihood
Severity
Almost certain | $ 1,000 | $ 5,000 | $ 10,000 | $ 50,000 | $ 250,000 |
Likely | $ 500 | $ 1,000 | $ 5,000 | $ 10,000 | $ 50,000 |
Possible | $ 100 | $ 500 | $ 1,000 | $ 5,000 | $ 10,000 |
Unlikely | $ 100 | $ 100 | $ 500 | $ 1,000 | $ 5,000 |
Almost possible | $ 100 | $ 100 | $ 100 | $ 500 | $ 1,000 |
Very low | Low | Moderate | High | Severe |
Bounty Scope
The bug bounty will be applicable for the following repositories, sources and sites:
References
Additional references to help during the bug finding process
Vulnerabilities Classification
Critical
An issue that might cause immediate loss of > 10% of the funds, or permanent impairment of the protocol state.
Very High / High
An issue that might cause immediate loss of <10% of the funds, or severely damage the protocol state.
Medium
An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.
Low / Very Low / Note
An issue that might cause user dissatisfaction or minimal failure.
Exclusions
While researching, we’d like to ask you to refrain from:
- Denial of service
- Spamming
- Social engineering (including phishing) of Aave staff or contractors
- Any physical attempts against Aave property or data centers
Frequently Asked Questions
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Submit a bug
Please report the bug you found via this form. Try to be as specific and clear as possible when you fill out this form. We will be in touch as soon as possible after receiving the form.
Contact us
Feel free to contact us through our live chat, or email at: [email protected]
We are also available in our discord channel.