The security of the STFIL DAO system is paramount to the STFIL protocol. However, even with rigorous auditing, there is still a possibility of vulnerabilities given the constantly evolving ecosystem. That is why we have implemented a bounty program to identify errors and vulnerabilities in the protocol infrastructure and smart contracts. We will reward any organization or individual who helps us make the system as robust as possible.

Classification

To be eligible for a reward, submitted issues must meet the minimum severity criteria as described below. Approved submissions will be rewarded with stFIL tokens based on the severity category of the issue:

Low​

Up to $500 - issues that may cause user dissatisfaction or minor technical malfunctions.

Medium​

Up to $2,500 - issues that may result in minor losses of less than 0.1% of the protocol's funds, disrupt the protocol's state, or cause significant user dissatisfaction or moderate technical malfunctions.

High​

Up to $5,000 - issues that may result in immediate losses of 0.1% < X <10% of the protocol's funds or seriously disrupt the protocol's state.

Critical​

Up to $10,000 - issues that may result in immediate losses of 10% or more of the protocol's funds or permanently damage the protocol's state.

Rule

The reward will vary depending on the severity of the issue. Additionally, you can increase the reward by providing high-quality information in the following areas: problem description, instructions for reproducing the issue, and a solution (optional).

1. If you want to add more information about the reported issue, you can create a new submission that references the initial one.

2. Repeated reports of known issues will not be eligible for rewards. The first submission will receive the reward, so please report the issue promptly.

3. The specifics of the reward for each event will be determined by STFIL DAO. The terms and conditions of the bug bounty program are at the sole discretion of STFIL Finance.

4. The terms and conditions of the bug bounty program may change over time.

5. Any interference with the protocol or client/platform services while an issue is still active, whether accidental or not, will invalidate the submission and disqualify it from receiving a reward.

6. Public disclosure of the bug will result in the disqualification of the submission. Please read and adhere to the responsible disclosure policy below, or your report may not be eligible for a reward.

Disclosure Policy

If you discover a vulnerability, please make sure to follow all of the following steps:

1. Write a detailed and accurate problem report as soon as possible, then send it to: security@stfil.io.

2. Do not disclose any information about the issue to anyone outside the team.

3. Do not exploit the issue for personal gain.

4. Do not attack our system or protocol.

5. Once we receive your report, we promise to do the following:

6. Respond to your report as quickly as possible.

7. Keep your report strictly confidential.

8. Provide you with the latest status of your submission and the solution to the reported problem.

9. Unless you have other preferences, you will be named the successful bounty hunter of the issue.

10. Provide you with rewards to thank you for helping us make STFIL as secure as possible!