# Karak Network Bug Bounty Program *Bug Bount Program Details* By [oktydrn](https://paragraph.com/@oktydrn) ยท 2024-05-26 --- **Karak Network Bug Bounty Program** **Overview** -The security of Karak and its smart contracts are of utmost importance to us. For that reason, we have a Karak Bug Bounty Program to incentivize responsible bug disclosure. -Rewards will be allocated based on the severity of the bug disclosed and assets at risk. **Scope** -The Program includes vulnerabilities and bugs in any deployed Karak contract. **Rewards** -The Program includes the following 4 level severity scale: ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/828b71bafc30f1017d8809dde5f2d71e..svg "Orange square") Critical: Issues that could impact numerous users and have serious reputational, legal or financial implications. An example would be being able to lock contracts permanently or take funds from all users. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/a3de11288ed20a2a7d7b9cf17cd029e2..svg "Orange square") High: Issues that impact individual users where exploitation would pose reputational, legal or moderate financial risk to the user. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/1e527baa9252e054be406aa3a9e17a2c..svg "Orange square") Medium: The risk is relatively small and does not pose a threat to user funds. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/cd36b40f83974c38127a9046180b013e..svg "Orange square") Low/Informational: The issue does not pose an immediate risk but is relevant to security best practices. -Rewards will be given based on the above severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of Karak. You can find out more about this scale at the **OWASP risk rating methodology page.** **Disclosure** -Any vulnerability or bug discovered must be reported only to the following email: [security@karak.network](mailto:security@karak.network). -An acknowledgment of receipt will be given within 3 business days by Karak. The vulnerability must not be disclosed publicly or to any other person, entity, or email address before Karak has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, the disclosure must be made within 24 hours following the discovery of the vulnerability. -A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including: ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/585eadcba21ebcfdbe820110a545dbb2..svg "Orange square") The conditions on which reproducing the bug is contingent. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/34b2605da2422675fde29ab515ed15c2..svg "Orange square") The steps needed to reproduce the bug or, preferably, a proof of concept. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/7307b413cf2108ec1c5d6a0dc414121c..svg "Orange square") The potential implications of the vulnerability being abused. -Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they so choose. **Eligibility** -To be eligible for a reward under this Program, you must: ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/72415c9b1d6b8d718ed31a2bd26bd78f..svg "Orange square") Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program. Be the first to disclose the unique vulnerability to [security@karak.network](mailto:security@karak.network), in compliance with the disclosure requirements. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/d89f23640c8872b84b268e2f2c3a3ad6..svg "Orange square") Provide sufficient information to enable our engineers to reproduce and fix the vulnerability. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/e33900e9c364f216f9f5443b0331040f..svg "Orange square") Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program). ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/5005c831741ecb53662f485a7e9b8697..svg "Orange square") Not publicize a vulnerability in any way, other than through private reporting to us. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/a9952f4a9c877452a87fc31da612e44f..svg "Orange square") Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/fe1d0392b74db9720a44c024e8f77b9f..svg "Orange square") Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/1aa763a5bd652eb03f3dc80c9bfd9de4..svg "Orange square") Not engage in any unlawful conduct when disclosing the bug to [security@karak.network](mailto:security@karak.network), including through threats, demands, or any other coercive tactics. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/7ab58338154b566e15e00ff5edf76095..svg "Orange square") Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/6f8e5b05fa59a2f9eb2660837160d717..svg "Orange square") Not be subject to US sanctions or reside in a US-embargoed country. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/f9bfe02dabd5eb046c282de02e3ec52b..svg "Orange square") Not be one of our current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question. ![๐ŸŸง](https://storage.googleapis.com/papyrus_images/102d913eb08e53d4d74a10da731651d2..svg "Orange square") Comply with all the eligibility requirements of the Program. **Other Terms** -By submitting your report, you grant Karak any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion. -The terms and conditions of this Program may be altered at any time. Salam. ![๐ŸŠ](https://storage.googleapis.com/papyrus_images/50bee30bf25e31700d7e59dd0976b85e..svg "Tangerine") --- *Originally published on [oktydrn](https://paragraph.com/@oktydrn/karak-network-bug-bounty-program)*