Skip to main content

Bug bounty program

Status: PROPOSED v0.1. Final terms publish at production launch with the program live on Immunefi (or equivalent reputable platform). Payouts and scope below are the design intent.

BitView runs a continuous, no-end-date bug bounty for security issues affecting the platform's on-chain programs and BitView-operated infrastructure. Payouts up to $100K USD-equivalent for critical findings.

Why we run this

Independent security review at scale. We get more eyes on the codebase than we could pay full-time, and researchers get rewarded for surfacing issues responsibly. Both sides win when a critical bug is found before a malicious actor finds it.

Severity matrix and payouts

SeverityPayout (USD-equivalent, paid in USDC)Examples
Critical$25,000 – $100,000Direct theft of user funds; arbitrary mint of BTV; treasury wallet drain; unauthorized vesting acceleration
High$5,000 – $25,000Significant fund-loss vector requiring specific conditions; OFAC screening bypass with confirmed impact; arbitrary token issuance against streamer-token mints
Medium$1,000 – $5,000Sybil-detection bypass with measurable accrual capture; auth bypass on protected API endpoints; royalty bypass on swap router
Low$250 – $1,000Information disclosure not reaching financial impact; auth bypass on read-only endpoints; XSS on non-trust pages
Informational$0 (acknowledged + credited)Best practice, hardening suggestions, defense-in-depth

Payouts are at BitView's reasonable discretion within these ranges, based on:

  • Reproducibility and reliability
  • Number of users affected at scale
  • Complexity of attack chain (chains of moderate bugs into a critical exploit pay critical-tier)
  • Quality of report
  • Whether a working PoC was supplied

In scope

On-chain:

  • Merkle distributor program at 4ffj6hEnx6cqp4ToMALExqk6QwPNSbZyr8ro9yW1Qvok
  • BTV-related contracts when deployed (vesting, governance, sponsorship escrow)
  • BitView-controlled wallet addresses (theft / unauthorized-spend scenarios)

Off-chain:

  • api.bitview.so and all backend endpoints
  • app.bitview.so frontend
  • checkpoint.bitview.so (this site, for issues materially affecting user understanding of security)
  • Wallet-link auth flow end-to-end
  • Sybil detection (bypass with material accrual capture)
  • Sponsorship marketplace escrow flow
  • Swap router fee-skim path

Out of scope

  • Solana network bugs (Solana Foundation)
  • Underlying Metaplex / Jupiter / Meteora program bugs
  • DOS via traffic volume alone
  • Self-XSS, clickjacking on non-sensitive pages, missing security headers without exploit
  • Social engineering of BitView staff or users
  • Physical attacks
  • Rate-limiting bypasses without material impact
  • Already-known issues (we maintain a public "known issues" list once the program goes live)

How to report

Read the responsible disclosure policy first. Email security@bitview.so with the structured fields described there.

Reports come through the same channel as non-bounty disclosures. The triage team determines bounty eligibility and severity. We do not require pre-engagement or pre-registration to be eligible.

Eligibility criteria

To qualify for a payout you must:

  • Be the first reporter of the issue (we keep a private database of reports for adjudication).
  • Not exploit the vulnerability beyond demonstrating it (see disclosure policy for what's acceptable).
  • Not violate any applicable laws while researching.
  • Not be a current or former employee of BitView, the operating entity, or any vendor with privileged access to our systems.
  • Provide a valid Solana wallet to receive the USDC payment.
  • Provide tax-compliant identification if the payout exceeds $10,000 (US 1099 / equivalent).
  • Be in a non-sanctioned jurisdiction (we screen recipients against OFAC SDN at payout time).

Payment terms

DetailValue
CurrencyUSDC on Solana
Payout waitWithin 30 days of patch deployment + verification
Tax responsibilityRecipient's (we provide documentation as required)
Currency conversionAt spot rate on day of patch deployment

We do not pay in BTV unless the recipient explicitly requests it (and even then, only for sub-$10K payouts, since the conversion volatility on larger amounts is unfair to either side).

Disqualifications

A report is disqualified from bounty payment if:

  • It exploits the vulnerability beyond proof-of-concept impact
  • It accesses or exfiltrates user data beyond the researcher's own test accounts
  • It triggers a denial-of-service condition during research
  • It involves social engineering of BitView staff or users
  • It was discovered through unauthorized access to BitView's internal systems
  • It was publicly disclosed before coordinated disclosure window
  • It was previously reported by another researcher
  • It targets out-of-scope systems

Disqualification is at BitView's reasonable discretion. We will explain the reason if asked.

Coordinated disclosure

StageTimeline
Initial acknowledgment< 24 hours
Triage + severity assessment< 7 days
Patch + verificationSeverity-dependent (Critical: 30 days max)
Public post-mortem< 30 days after patch deployment
Researcher creditAt public post-mortem (with consent)
Public bounty disclosureAggregated quarterly in transparency report

Hall of fame

Researchers credited on the audits page. Anonymous credit is available on request. We pay you whether or not you accept the credit; we credit you whether or not you accept the payout.

Program review

Bounty payouts, scope, and severity definitions are reviewed annually and may be expanded as the platform's surface area grows. Significant updates are publicly announced. You are not penalized for reports filed under prior versions of the program.

Questions about a specific issue

If you're unsure whether something is in scope or qualifies, email security@bitview.so with Question in the subject line. We reply within 5 business days.

Final note

The dollar amounts in this program reflect what we currently believe is fair for a platform of our scale. As BitView grows, these amounts grow. The annual review may raise the critical-tier ceiling substantially as TVL increases. Researchers who file early are not penalized for filing under the v1 program — their reports are credited and paid at the rates in force when they were filed.