πŸ”’ Security & Audits
Bug Bounty

🎯 Bug Bounty Program

Overview

SEAL360 is committed to the security of our platform and the safety of our users. We welcome security researchers to help identify vulnerabilities and will reward responsible disclosure.

πŸ’° Reward Structure

All rewards are paid in S360 tokens from the Growth Fund allocation.

Critical (9.0 - 10.0 CVSS)

Reward: 50,000 - 100,000 S360

Examples:

  • Unauthorized token minting
  • Draining of contract funds
  • Complete governance takeover
  • Critical smart contract vulnerabilities

High (7.0 - 8.9 CVSS)

Reward: 20,000 - 50,000 S360

Examples:

  • Flash loan attacks
  • Governance manipulation
  • Unauthorized fund access
  • Staking rewards manipulation

Medium (4.0 - 6.9 CVSS)

Reward: 5,000 - 20,000 S360

Examples:

  • DoS attacks
  • Front-running vulnerabilities
  • Price oracle manipulation
  • Access control issues

Low (0.1 - 3.9 CVSS)

Reward: 1,000 - 5,000 S360

Examples:

  • Gas optimization issues
  • Minor logic errors
  • UI/UX security issues
  • Information disclosure

πŸ“‹ Scope

In Scope

Smart Contracts (Primary)

  • βœ… SEAL360Token.sol
  • βœ… S360StakingRewards.sol
  • βœ… S360Governor.sol
  • βœ… S360TimelockController.sol
  • βœ… S360BondingCurve.sol
  • βœ… S360Vesting.sol
  • βœ… S360TimeVaultRND.sol
  • βœ… S360AchievementBadges.sol

Infrastructure

  • βœ… DApp (app.seal360.net)
  • βœ… API endpoints
  • βœ… Authentication system
  • βœ… Database security (with restrictions*)

Frontend

  • βœ… XSS vulnerabilities
  • βœ… CSRF attacks
  • βœ… Wallet connection exploits
  • βœ… Data leaks

Out of Scope

  • ❌ Third-party services (MetaMask, WalletConnect, etc.)
  • ❌ Avalanche network issues
  • ❌ Social engineering attacks
  • ❌ Physical attacks
  • ❌ DoS attacks on public infrastructure
  • ❌ Issues in dependencies (report to upstream)
  • ❌ Theoretical vulnerabilities without proof of concept

πŸ” Vulnerability Types We're Interested In

Smart Contract Vulnerabilities

  1. Reentrancy attacks
  2. Integer overflow/underflow
  3. Access control issues
  4. Flash loan attacks
  5. Front-running opportunities
  6. Gas manipulation
  7. Storage collision
  8. Delegate call injection
  9. Unprotected self-destruct
  10. Signature replay attacks

DApp Vulnerabilities

  1. XSS (Cross-Site Scripting)
  2. CSRF (Cross-Site Request Forgery)
  3. Authentication bypass
  4. SQL injection
  5. API vulnerabilities
  6. Insecure direct object references
  7. Sensitive data exposure
  8. Broken access control

πŸ“ Submission Guidelines

How to Report

  1. Email: security@seal360.net (PGP key available on request)
  2. Subject: [Bug Bounty] Brief description
  3. Include:
    • Detailed description of the vulnerability
    • Steps to reproduce
    • Proof of concept code/transaction
    • Affected contracts/components
    • Potential impact assessment
    • Suggested fix (optional)

Report Template

# Vulnerability Report
 
## Summary
[Brief description of the vulnerability]
 
## Severity
[Critical/High/Medium/Low]
 
## Affected Component
- Contract: [Contract name and address]
- Function: [Specific function]
- Version: [v2.4.0 or other]
 
## Vulnerability Details
[Detailed technical description]
 
## Proof of Concept
```solidity
// Code demonstrating the vulnerability

Steps to Reproduce

  1. Step 1
  2. Step 2
  3. ...

Impact

[Description of potential damage]

Suggested Fix

[Optional: Your proposed solution]

Discoverer

  • Name: [Your name]
  • Contact: [Email/Telegram]
  • Wallet: [For reward payment]

---

## ⏱️ Response Timeline

| Stage | Timeline |
|-------|----------|
| **Initial Response** | Within 24 hours |
| **Triage** | Within 3 business days |
| **Status Update** | Weekly until resolved |
| **Fix Development** | Based on severity (1-30 days) |
| **Reward Payment** | Within 7 days of fix deployment |

---

## πŸ† Hall of Fame

### Season 1 (2026)

| Researcher | Vulnerabilities | Reward | Month |
|------------|----------------|--------|-------|
| *Coming Soon* | - | - | - |

*Be the first to find a vulnerability and get featured here!*

---

## πŸ“œ Rules & Terms

### Responsible Disclosure
1. βœ… **Do**:
   - Report vulnerabilities privately
   - Wait for fix before public disclosure
   - Provide detailed information
   - Test on testnet only

2. ❌ **Don't**:
   - Attack mainnet contracts
   - Access user data
   - Disrupt services
   - Demand ransom
   - Public disclosure before fix

### Eligibility
- Open to anyone worldwide (excluding sanctioned countries)
- Must be 18+ or have parental consent
- SEAL360 employees and immediate family excluded
- First valid report wins (no duplicate rewards)
- Must not violate any laws

### Disqualification
Reports may be disqualified if:
- Already known or publicly disclosed
- Duplicate of existing report
- Out of scope
- Insufficient proof of concept
- Violates terms of service
- Uses automated scanners without manual verification

### Payment
- All rewards paid in **S360 tokens** from the Growth Fund
- Token amount based on SEAL360's assessment of severity and impact
- Final decision by security team
- Payment within 7 days of fix deployment via smart contract
- Tokens may have vesting schedule for large rewards
- Tax reporting responsibility of recipient

---

## πŸ” Security Best Practices

### For Researchers
1. Use testnet contracts for testing
2. Don't access user data
3. Don't launch DDoS attacks
4. Follow responsible disclosure timeline
5. Encrypt sensitive communications

### Our Commitments
1. Acknowledge receipt within 24 hours
2. No legal action for good-faith research
3. Fair and transparent reward process
4. Credit in public disclosure (if desired)
5. Maintain confidentiality

---

## πŸ“ž Contact

### Security Team
- **Email**: security@seal360.net
- **PGP Key**: Available on request
- **Response Time**: < 24 hours

### Bug Bounty Questions
- **Email**: bugbounty@seal360.net
- **Telegram**: @seal360security

---

## πŸ”„ Updates

This program is subject to change. Check back regularly for updates.

**Last Updated**: January 13, 2026  
**Program Version**: 1.0

---

## 🌟 Why Participate?

1. **Financial Rewards**: Earn up to 100,000 S360 tokens
2. **Recognition**: Hall of fame listing
3. **Impact**: Protect thousands of users
4. **Learning**: Gain experience with cutting-edge DeFi
5. **Network**: Connect with security community
6. **Token Upside**: Benefit from S360's growth potential

---

## πŸ“š Resources

- [Smart Contract Source Code](https://github.com/seal360/seal360-contracts)
- [Security Documentation](/security/overview)
- [Previous Fixes](/security/fixes-v3-3-1)
- [Test Suite](https://github.com/seal360/seal360-contracts/tree/main/test)

---

<Callout type="success">
  **Ready to hunt bugs?** Start by reviewing our [smart contracts on GitHub](https://github.com/seal360/seal360-contracts) and [testing on Fuji testnet](/integration/contract-addresses).
</Callout>
Known VulnerabilitiesπŸ“Š DeFi Comparison