Overview

CoreSwap is an open source DeFi protocol. To make it more secure for the users, CoreSwap has a continuous bug bounty program (“Program”). Professional programmers and developers are invited to participate in this Program and get rewards from CoreSwap based on following the terms and conditions.

Scope

This Program is limited to the vulnerabilities affecting CoreSwap V1 in the following contracts: CoreSwap Core
Periphery Contracts
For purposes of the Program, bugs in Periphery Contracts will be considered less severe than those found in CoreSwap V1 Core. The following are not within the scope of the Program: The example contracts and the contracts in the test folder for the Periphery Contracts link set forth above;
• Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);
• Bugs in any third party contract or platform that interacts with CoreSwap V1;
• Vulnerabilities already reported and/or discovered in contracts built by third parties on CoreSwap V1; and
• Any already-reported bugs.
Vulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program: • Front end bugs;
• DDOS attack;
• Spamming;
• Automated tools; and
• Compromising or misusing third party systems or services.

Program Rewards

Severity of bugs will be assessed under CVSS Risk Rating scale, as follows:
• Critical (9.0-10.0): Up to $4,000
• High (7.0-8.9): Up to $1,000
• Medium (4.0-6.9): Up to $200
• Low (0.1-3.9): Up to $100
In addition to assessing severity, rewards will be considered based on the impact of the discovered vulnerability as well as the level of difficulty in discovering such vulnerability.
Prior to the deployment of CoreSwap™ V2 to the Ethereum mainnet, which is expected to occur in May 2021, successful bug reporters will receive a 10% bonus on their bounty pay out. This is to incentivize hackers to come forward before launch.

Disclosure

Any vulnerability or bug discovered must be reported only to the following email: technical@CoreSwap.io; must not be disclosed publicly; must not be disclosed to any other person, entity or email address prior to disclosure to the technical@CoreSwap.io email; and must not be disclosed in any way other than to the technical@CoreSwap.io email. In addition, disclosure to technical@CoreSwap.io must be made promptly following discovery of the vulnerability. Please include as much information about the vulnerability as possible, including: • The conditions on which reproducing the bug is contingent.
• The steps needed to reproduce the bug or, preferably, a proof of concept.
• The potential implications of the vulnerability being abused.
• A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution, if agreed.