Injective

@injective
Live

Introduction

Injective is a lightning fast interoperable layer one optimized for building unmatched Web3 finance applications. Injective is incubated by Binance and is backed by prominent investors such as Jump Crypto, Pantera and Mark Cuban. The goal of this Bug Bounty Program is to encourage responsible security research by providing incentives for finding and reporting vulnerabilities in Injective’s codebase and related systems. By participating in this Program, you help us maintain a safe, secure, and reliable environment for our users.

Scope

In-Scope Targets

If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

Vulnerabilities found in vendor systems such as Cosmos-SDK, IBC, CometBFT and CosmWasm fall outside this policy and should be reported to the respective vendor following their disclosure policy (if any).

Prohibited Actions

  • No Unauthorized Testing on Production Environments:
    Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

  • No Public Disclosure Without Consent:
    Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

  • No Exploitation or Data Exfiltration:
    Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

  • No Conflict of Interest:
    Individuals currently or formerly employed by Optimism, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Reports must incude:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue, ideally with a proof of concept.
  • Details on the conditions under which the issue occurs.
  • Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

  • To be eligible for a reward, you must:
    • Be the first to report a previously unknown, non-public vulnerability within scope.
    • Provide sufficient information to reproduce and fix the issue.
    • Not have exploited the vulnerability in a malicious manner.
    • Not have disclosed the vulnerability to third parties prior to receiving permission.
    • Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity LevelImpact: CriticalImpact: HighImpact: MediumImpact: Low
Likelihood: HighCriticalHighMediumLow
Likelihood: MediumHighHighMediumLow
Likelihood: LowMediumMediumLowInformational

Impact Definitions:

  • Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
  • High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
  • Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
  • Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

  • High: Very easy to exploit or highly incentivized.
  • Medium: Exploitation is possible under certain conditions.
  • Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

  • Core Smart Contract Code:
Risk ScorePayout Range
CriticalUp to $500,000
HighUp to $100,000
MediumUp to $25,000
LowDiscretionary
  • Web Interface / Frontend:
Risk ScorePayout Range
CriticalUp to $50,000
HighUp to $30,000
MediumUp to $10,000
LowDiscretionary

Note: Actual reward amounts are determined at Injective’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.

Other Terms

By submitting a report, you grant Injective the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Injective. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.

Total reward

$500,000

Findings submitted

37

Start date

4 Feb 2025


Please sign in as a researcher to join the bounty.

Log in