Skip to main content
At Cantina, we prioritize the security and integrity of our ecosystem. Our Bug Bounty program aims to foster collaboration between researchers and clients to identify and resolve vulnerabilities before they can be exploited. See Bounty Severity Classification for how vulnerabilities are categorized and rewards are determined.

Testing Guidelines

To ensure responsible testing:
  • Use local forks instead of public chains.
  • Avoid actions that may disrupt network integrity.
  • Do not access or modify data that does not belong to you.
  • Provide detailed reports with proof of concept and steps to reproduce.

Eligibility

To qualify for a bounty, submissions must meet the following criteria:
  • Report a previously unknown, non-public vulnerability within the program’s scope.
  • Be the first to disclose the vulnerability.
  • Provide sufficient information to reproduce and resolve the issue.
  • Avoid exploiting the vulnerability or disclosing it publicly.
  • Comply with all program rules and guidelines.

Prohibited Actions

The following actions are prohibited:
  • Testing on public mainnet/testnet deployments.
  • Public disclosure of vulnerabilities without prior consent.
  • Exploitation of vulnerabilities for personal gain.
  • Engaging in illegal activities or coercive tactics.

Mediation Process for Bounties

To initiate mediation, you must set the finding’s status to Disputed in Cantina Code. That status triggers the process so Cantina can step in and help resolve the disagreement.
Only findings in Disputed status are eligible for mediation. If you disagree with a Rejected or Duplicate decision, set the finding to Disputed to request mediation.
At Cantina, we foster a collaborative environment where researchers and clients can work together to resolve disputes in a fair and transparent manner.

1. Submission of Finding

  • Researcher: Submits a finding.
  • Client: Reviews the finding and provides feedback.

2. Disagreement

Disagreements may arise over:
  • Severity assessment.
  • Finding validity.

3. Escalation to Cantina

If a resolution cannot be reached, either party can escalate the finding to Cantina for mediation.

4. Triage and Solution Proposal

Cantina’s triaging team will:
  • Review the finding.
  • Propose a fair solution based on the guidelines.

5. Final Decision

The client has the final say on the resolution.

Client Rejection Policy

If a client rejects more than five findings in one year that we believe are valid, Cantina reserves the right to:
  • Conduct a thorough review of the client’s participation.
  • Take necessary actions to ensure platform integrity.

Communication Guidelines During Mediation

  • Direct Communication: Cease direct communication between parties during mediation.
  • Reporting: Communicate all concerns to Cantina.
  • Status Updates: Researchers can request updates through the relevant bug report thread.
By adhering to these guidelines and classifications, we ensure a fair and transparent process that benefits both researchers and clients, and fosters the growth of a secure and resilient ecosystem.