Bug Bounty
MegaTAO takes the security of user funds seriously. We encourage responsible disclosure of any vulnerabilities discovered in the protocol.
Scope
The following are in scope for the bug bounty program:
Smart contracts: All deployed MegaTAO contracts on Bittensor EVM
Oracle contracts: Price oracle and related infrastructure
Economic vulnerabilities: Attacks that could drain funds, manipulate prices, or cause incorrect liquidations
Out of Scope
Frontend/UI issues that do not affect funds
Social engineering attacks
Denial-of-service attacks on RPC infrastructure
Issues in third-party dependencies outside our control
Known issues already documented in audit reports
How to Report
If you discover a vulnerability:
Do not disclose it publicly
Do not exploit it on mainnet
Email details to [email protected] with the subject line "Security Vulnerability Report"
Include a clear description, reproduction steps, and potential impact
Allow reasonable time for the team to investigate and remediate
Response Timeline
Acknowledgment: Within 48 hours of report
Initial assessment: Within 5 business days
Remediation: Depends on severity; critical issues are prioritized immediately
Rewards
Rewards are determined on a case-by-case basis depending on the severity and impact of the vulnerability. Critical vulnerabilities that could result in loss of user funds receive the highest rewards.
Critical
Direct loss of user funds or protocol insolvency
Case-by-case
High
Significant economic impact or privilege escalation
Case-by-case
Medium
Limited economic impact or incorrect state transitions
Case-by-case
Low
Minor issues with no direct financial impact
Case-by-case
Responsible Disclosure
We ask all researchers to follow responsible disclosure practices. We will not take legal action against researchers who report vulnerabilities in good faith and follow the guidelines above.
Thank you for helping keep MegaTAO secure. Reach out to [email protected] with any questions about this program.
Last updated