Story is a peer-to-peer intellectual property network that creates a programmable market for knowledge and creativity. Scientific and creative assets are registered on a universal ledger with customizable usage parameters. All assets are equipped with a composable interface that can be consumed by any software application or artificial intelligence model, allowing intellectual property to be used and monetized across the internet. A network-wide graph coordinates all intellectual property assets, with nodes representing atomic assets and edges representing the legal and economic commitments between them. The network evaluates the uniqueness of each asset via an asynchronous and decentralized validation service driven by cryptoeconomic incentives. Participation in the protocol contributes to the growth of the only open and permissionless repository of the world's knowledge and creativity.

In Scope:

The World's IP Blockchain has several layers: Layer 1 blockchain (Cosmos fork as CL, Geth fork with IPGraph precompile as EL), Proof of Creativity smart contract protocol and several apps to help users.

Blockchain Layer

Payout Matrix:

Payments will be in $IP tokens, denominated in USD at the time of submission.

Severity	Impact	Reward
Critical	Minting tokens violating protocol invariants (tokens per block, staked tokens). Takeover smart contract admin methods. Violating BFT assumptions, acquiring voting power vastly disproportionate (20x) to stake, or any other issue that can meaningfully compromise the integrity of the blockchain's proof of stake governance. User Fund Vulnerabilities: Exploits causing the permanent locking, loss, or theft of multiple user funds greater than $5M. Network not being able to confirm new transactions (total network shutdown ) requiring a hard fork or rollback to resolve	$30,000 - $600,000
High	Temporary total network shutdown or unintended chain split (duration greater than 1 hour). Non network critical loss of funds at protocol level	$10,000 - $30,000
Medium	Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network. Moderate impact on usability, monetary losses, or integrity	$2,000 - $10,000
Low	Small impact, minor exploit that does not affect security	$500 - $2,000
Informational	No direct security impact, but best practice improvements	$0 - $100

Repos

• https://github.com/piplabs/story
• https://github.com/piplabs/story/tree/main/contracts
• https://github.com/piplabs/story-geth (Only the vulnerabilities related to our modifications to the Geth codebase)
• Story's modifications to Cosmos
  • https://github.com/piplabs/cosmos-sdk/tree/piplabs/v0.50.10

Smart Contract Layer: Proof of Creativity Smart Contract Protocol and Periphery

Payout Matrix:

Payments will be in $IP tokens, denominated in USD at the time of submission.

Severity	Impact	Reward
Critical	Protocol critical loss of funds and/or IPAsset property. Total denial of service caused by errors in the protocol smart contracts. Governance takeovers for protocol critical roles	$50,000 - $150,000
High	Non protocol-critical loss of funds and/or IPAsset property. Partial denial of service caused by errors in the protocol smart contracts	$10,000 - $50,000
Medium	Moderate impact on usability, monetary losses, or integrity	$2,000 - $10,000
Low	Small impact, minor exploit that does not affect security	$500 - $2,000
Informational	No direct security impact, but best practice improvements	$0 - $100

Repos

• https://github.com/storyprotocol/protocol-periphery-v1
• https://github.com/storyprotocol/protocol-core-v1

App Layer: Website, Apps and APIs:

• .storyprotocol.xyz
• .storyrpc.io
• .storyprotocol.net
• .story.foundation
• .storyapis.com
• .piplabs.xyz

Payout Matrix:

Payment will be in $IP tokens, denominated in USD at the time of submission.

Severity	Impact	Examples	Reward
Critical	Full compromise of wallets, infrastructure, or API security	Account takeover, Private key leakage, RCE on production systems, SSRF leading to internal network access, database dumps with sensitive data, critical auth bypass, takeover of Story Protocol's cloud environment (e.g., AWS, GCP, Azure)	$3000 - $30000
High	Major security impact but no full compromise	High-impact IDOR, significant authentication/authorization bypass, stored XSS affecting admin or privileged users, SSRF leading to internal metadata exposure, high-severity API leaks	$1500 - $3000
Medium	Moderate security impact with limited scope	Low-impact IDOR, reflected/stored XSS affecting standard users, moderate API misconfigurations, rate-limiting bypasses that allow mass account enumeration, sensitive information exposure in error messages	$500 - $1500
Low	Minor security misconfigurations with limited real-world impact	Self-XSS, missing security headers, lack of HTTP-only or secure flags on cookies, rate-limiting bypass on non-sensitive endpoints	$100 - $500
Informational	No immediate security impact, but good security hygiene	Minor misconfigurations, DNS record leaks, outdated libraries (with no PoC exploit), security best-practice suggestions	$0

Out of Scope:

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Entries generated with ChatGPT/LLM tools.
• Entries without any working POC.
• Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
• Previously known vulnerabilities in Tendermint, cosmos-sdk and or/any other fork of these.
• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.
• Impacts caused by attacks requiring access to leaked keys/credentials.
• Impacts caused by attacks requiring access to privileged addresses (governance and other RBAC roles) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible.
• Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production.
• Issues reported in the previous Cantina Competition. Report available soon.
• Issues from our previous security audits.
• Feature requests and best practice recommendations.
• Social engineering and phising.

Smart Contracts/Blockchain

• Incorrect data supplied by third party oracles.
• Impacts requiring basic economic and governance attacks (e.g. 51% attack).
• Lack of liquidity impacts.
• Impacts from Sybil attacks.
• Impacts involving centralization risks.
• 3rd party asset drainers that use phishing and ERC20/ERC721 approve() or other standard methods.

Website and Apps

• Theoretical impacts without any proof or demonstration.
• Impacts involving attacks requiring physical access to the victim device.
• Impacts involving attacks requiring access to the local network of the victim.
• Reflected plain text injection (e.g. url parameters, path, etc.).
• This does not exclude reflected HTML injection with or without JavaScript.
• Open ports with no proven risk (e.g., port 22 open on SSH with key-based authentication).
• Lack of security headers (e.g., missing CSP, X-Frame-Options, HSTS, unless proven to be exploitable).
• Stack traces & error messages (unless they leak sensitive information).
• Captcha bypass using OCR without impact demonstration.
• Impacts causing only the enumeration or confirmation of the existence of users or tenants.
• Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows.
• Lack of SSL/TLS best practices.
• Impacts that only require DDoS.
• UX and UI impacts that do not materially disrupt use of the platform.
• Impacts primarily caused by browser/plugin defects.
• Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.).
• Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass).
• Publicly accessible .git directories (if no sensitive files are exposed).
• SPF/DMARC issues (unless there is active email spoofing that affects Story Protocol users).
• Outdated software without a working proof of concept (e.g., reporting "Nginx 1.18.0" without showing an exploit).
• Clickjacking on non-sensitive pages (e.g., informational pages).
• Self-XSS (XSS that only affects the person reporting it).
• CSRF (Cross-Site Request Forgery) on blockchain transactions (since blockchain transactions require explicit user signing).
• CORS misconfigurations that do not allow credential theft or sensitive data exposure.
• Rate-limiting issues on public, non-sensitive APIs (e.g., public block explorer APIs).
• Missing email verification (since Web3 users often rely on wallet authentication rather than email-based login).
• Login/logout CSRF (only relevant if authentication relies solely on cookies, which is less common in Web3).
• Session fixation (not relevant if the system uses stateless authentication like JWTs).

Program Rules

• Theoretical entries, entries without any working POC and ones generated with ChatGPT/LLM tools will be discarded. Any medium or higher severity vulnerabilities should come with a working POC that can be demonstrated on a local test environment that can be reproduced with the instructions in the appendix.
• You must send a clear and concise textual description of vulnerability, along with steps to reproduce the issue and/or a Proof of Concept, include attachments such as screenshots or proof of concept code as necessary.
• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic.
• Make every effort not to damage or restrict the availability of products, services, or infrastructure.
• Avoid compromising any personal data, interruption, or degradation of any service.
• Don't access or modify other user data, localize all tests to your accounts.
• Perform testing only within the scope.
• Don't exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam.
• Don't spam forms or account creation flows using automated scanners.
• Don't break any law and stay in the defined scope.
• Any details of found vulnerabilities must not be communicated to anyone who is not Cantina Team or an authorized employee of Piplabs or Story Foundation without appropriate permission.
• In case that your findings is valid you will be asked for KYC verification to proceed with payments.

Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• Current employees ,vendors (auditors), partners and contractors of Story Protocol and Story Foundation are not eligible to participate in the bug bounty program.
• Former employees and contractors of Piplabs and Story Foundation, who ceased working with the aforementioned entities must wait 6 months before they are eligible to participate in the bug bounty program.
• Sanctioned individuals and/or organizations are not eligible to participate in the bug bounty program. These restrictions are put in place to ensure the objectivity of the bug bounty program and to prevent any potential conflicts of interest.
• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through Cantina.

Disclosure Guidelines

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• No vulnerability disclosure, including partial is allowed for the moment. The team will disclose the vulnerability publicly when safe, thanking the researcher if they choose to.

Response Times

• Critical: Response within 24 hours.
• High:- Response within 48 hours.
• Medium: and Low - Response within 72 hours.