# Synor Bug Bounty Program

## Overview

The Synor Bug Bounty Program rewards security researchers who discover and responsibly disclose vulnerabilities in the Synor blockchain protocol and its implementations.

**Program Status:** Active
**Platform:** [Immunefi](https://immunefi.com/bounty/synor)

---

## Scope

### In-Scope Assets

| Asset | Type | Severity |
|-------|------|----------|
| `synor-consensus` | Smart Contract/Protocol | Critical |
| `synor-crypto` | Cryptography | Critical |
| `synor-vm` | Smart Contract VM | Critical |
| `synor-network` | Protocol/Network | High |
| `synor-dag` | Protocol Logic | High |
| `synor-rpc` | API/Web | Medium |
| `synord` (node) | Infrastructure | Medium |
| Web Wallet | Web/App | Medium |
| Explorer | Web/App | Low |

### In-Scope Vulnerabilities

**Critical (Blockchain/DeFi)**
- Double-spending attacks
- Consensus manipulation
- Unauthorized minting/burning
- Private key extraction
- Signature forgery
- Eclipse attacks
- 51% attack vectors

**High**
- Denial of service (network-level)
- Memory corruption
- Integer overflows affecting security
- Cryptographic weaknesses
- Smart contract reentrancy
- Cross-contract vulnerabilities

**Medium**
- RPC authentication bypass
- Information disclosure
- Transaction malleability (non-security)
- Rate limiting bypass

**Low**
- UI/UX vulnerabilities
- Information leakage (non-sensitive)
- Best practice violations

### Out of Scope

- Attacks requiring physical access
- Social engineering (phishing, etc.)
- Denial of service via resource exhaustion (without amplification)
- Third-party dependencies (report to upstream)
- Issues in test networks (unless exploitable on mainnet)
- Known issues listed in GitHub Issues
- Theoretical attacks without PoC

---

## Rewards

| Severity | Reward (USD) | Examples |
|----------|--------------|----------|
| **Critical** | $50,000 - $100,000 | Double-spend, key extraction, consensus break |
| **High** | $10,000 - $50,000 | DoS, memory safety, crypto weakness |
| **Medium** | $2,500 - $10,000 | Auth bypass, info disclosure |
| **Low** | $500 - $2,500 | Minor issues, best practices |

### Reward Factors

Rewards are determined by:

1. **Impact** - What can an attacker achieve?
2. **Likelihood** - How easy is exploitation?
3. **Quality** - Report clarity and PoC quality
4. **Originality** - First reporter, novel technique

### Bonus Multipliers

| Factor | Multiplier |
|--------|------------|
| Working PoC | +25% |
| Suggested fix | +10% |
| Mainnet-ready exploit | +50% |
| Novel attack vector | +25% |

---

## Rules

### Eligibility

- You must be the first to report the vulnerability
- You must not have exploited the vulnerability
- You must not disclose publicly before fix is deployed
- You must comply with all applicable laws
- Synor team members are not eligible

### Responsible Disclosure

1. **Report** - Submit via Immunefi platform
2. **Confirm** - We acknowledge within 24 hours
3. **Triage** - We assess severity within 72 hours
4. **Fix** - We develop and test a fix
5. **Deploy** - Fix is deployed to production
6. **Disclose** - Public disclosure after 30 days (or sooner if agreed)
7. **Reward** - Payment processed within 14 days of fix deployment

### Good Faith

We will not pursue legal action against researchers who:
- Act in good faith
- Do not access user data
- Do not disrupt services
- Report promptly
- Do not demand payment beyond program terms

---

## How to Report

### Via Immunefi (Preferred)

1. Go to [immunefi.com/bounty/synor](https://immunefi.com/bounty/synor)
2. Click "Submit Report"
3. Fill out the vulnerability details
4. Include PoC if possible
5. Submit and wait for acknowledgment

### Via Email (Alternative)

If Immunefi is unavailable:

**Email:** security@synor.cc
**PGP Key:** [link to key]

Include:
- Vulnerability description
- Steps to reproduce
- Impact assessment
- Your wallet address (for payment)

### Report Quality

A good report includes:

```markdown
## Summary
Brief description of the vulnerability

## Severity
Your assessment (Critical/High/Medium/Low)

## Affected Component
Which crate/module/file

## Steps to Reproduce
1. Step one
2. Step two
3. ...

## Proof of Concept
Code or commands to demonstrate

## Impact
What an attacker could achieve

## Suggested Fix
(Optional) How to fix it
```

---

## Response SLA

| Action | Timeframe |
|--------|-----------|
| Initial response | 24 hours |
| Severity assessment | 72 hours |
| Fix development | 7-30 days (severity dependent) |
| Reward payment | 14 days after fix |
| Public disclosure | 30 days after fix |

---

## FAQ

### Q: Can I test on mainnet?
**A:** No. Use testnet only. Mainnet exploitation will disqualify you.

### Q: What if I accidentally cause damage?
**A:** If you acted in good faith and reported immediately, we will not pursue action.

### Q: Can I publish my findings?
**A:** Yes, after the fix is deployed and disclosure period ends.

### Q: How are duplicate reports handled?
**A:** First valid report wins. Duplicates may receive partial reward for additional info.

### Q: What currencies do you pay in?
**A:** USDC, USDT, or SYNOR tokens (your choice).

---

## Hall of Fame

| Researcher | Finding | Severity | Date |
|------------|---------|----------|------|
| *Be the first!* | - | - | - |

---

## Contact

- **Security Team:** security@synor.cc
- **Immunefi Program:** [immunefi.com/bounty/synor](https://immunefi.com/bounty/synor)
- **Discord:** #security-reports (for general questions only)

---

## Legal

This program is governed by the Synor Bug Bounty Terms of Service. By participating, you agree to these terms.

Synor reserves the right to:
- Modify program terms with 30 days notice
- Determine severity classifications
- Withhold payment for policy violations

---

*Last Updated: January 2026*