OpportunitiesLeaderboardAbout Cantina
Sign upLog in

Cantina Bounty

@Cantina-8597

Live

Cantina is the one-stop shop for all your security needs, allowing you to source the best network of teams, freelancers, and services to keep your smart contracts secure.

Guidelines

  1. Scope: Only vulnerabilities found on our websites

  2. Testing: Do not perform any testing that could disrupt our services or compromise user data.

  3. Disclosure: Do not disclose any vulnerabilities publicly before we've had a chance to address them.

  4. Submission: All submissions must be done on this bounty repository on cantina code. More details on submissions here

Vulnerability Rewards

Here's a general overview:

SeverityReward Range
Critical$20,000 - $25,000
High$10,000 - $20,000
Medium$1,000 - $10,000
LowDiscretionary

Severity Levels

  1. Critical

    • Remote code execution
    • Unauthorized access to sensitive user data
    • Ability to perform actions as a privileged user

  2. High

    • SQL injection
    • Cross-Site Scripting (XSS) with significant impact
    • Authentication bypass

  3. Medium

    • Cross-Site Request Forgery (CSRF)
    • Server-side request forgery
    • Sensitive information disclosure

  4. Low

    • Cross-Site Scripting (XSS) with limited impact
    • Open redirects
    • Clickjacking vulnerabilities

Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.

Out of Scope

The following activities and vulnerability types are considered out of scope for this bug bounty program:

  1. Physical attacks against our employees, offices, or data centers
  2. Social engineering attacks against our employees or users
  3. Vulnerabilities in applications or systems not owned by us
  4. Vulnerabilities requiring physical access to a user's device
  5. Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)

Testing Guidelines

To ensure safe and responsible testing:

  1. Use only your own accounts or test accounts for testing.
  2. Do not attempt to access, modify, or destroy data that does not belong to you.
  3. Be mindful of testing that might impact system availability or integrity.
  4. Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.

If you're unsure whether a specific test is allowed, please contact us before proceeding.

Thank you for helping us keep our platform secure!

Total reward

$25,000

Findings submitted

56

Start date

Jul 27, 2024

Please sign in as a researcher to join the bounty.

Log in