The Request Finance bug bounty program currently targets security issues in the following scopes:
- Request Finance mobile app
It includes all the features that are live or in beta.
The rules of our bug bounty program are the following:
- Issues that are already known to the Request team are not eligible for bounty rewards. This includes issues already submitted by someone else.
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- The Request core development team, employees, and all other people paid by Request Labs or the Request Network Foundation, directly or indirectly, are not eligible for rewards.
- The Request bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to rewards are at the sole and final discretion of the Request Finance bug bounty panel.
The value of rewards paid out will vary depending on severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood:
Reward sizes are guided by the rules below, but are ultimately determined at the sole discretion of the Request Foundation bug bounty panel. We also take into account the efforts put to find and report the vulnerability, including efforts put at giving proofs and solutions.
- Critical: up to 20 000 €
- High: up to 15 000 €
- Medium: up to 10 000 €
- Low: up to 2 000 €
- Note: up to 500 €
Bounties may be paid in ETH or REQ.
The bug bounty program has no end date until communicated otherwise.