Security is one of our core values, and we value the input of hackers acting in good faith to help us maintain the highest standard for security at Vanilla. The Vanilla protocol, while it has gone through multiple professional audits, depends on new technology that may contain undiscovered vulnerabilities.
Vanilla encourages the community to audit our contracts and security; we also encourage the responsible disclosure of any issues. This program is intended to recognize the value of working with the community of independent security researchers, and sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
The Primary scope of the bug bounty program is for vulnerabilities affecting the on-chain Vanilla Protocol which currently includes only the following Ethereum Mainnet contracts:
This list of addresses will change as the Vanilla Protocol evolves - as new contracts are taken into use or as existing contracts are displaced. Discovered vulnerabilities in any other contracts or deployments are excluded from the scope, including but not limited to:
The Secondary scope of the program is for vulnerabilities in the Vanilla Interface code that could likely result in an unauthorized exploitation of the users of Vanilla Trading Interface, hosted at https://vanilladefi.com/trade.
Discovered vulnerabilities in any other user interfaces or third-party interface code are excluded from the Secondary scope, including but not limited to:
Vanilla offers substantial rewards for discoveries that can prevent the loss of assets, the freezing of assets, or harm to a user, commensurate with the severity, likelihood, and exploitability of the vulnerability. Vanilla will pay a reward of $500 to $10,000 for eligible discoveries in Primary scope, and up to $2500 for eligible discoveries in Secondary scope, according to the terms and conditions provided below.
Submit all bug bounty disclosures to security@vanilladefi.com. The disclosure must include clear and concise steps to reproduce the discovered vulnerability in either written or video format. Vanilla will follow up promptly with acknowledgement of the disclosure.
To be eligible for bug bounty reward consideration, you must:
To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we require that you:
When working with us according to this program, you can expect us to:
All reward determinations, including eligibility and payment amount, are made at Vanilla’s sole discretion. Vanilla reserves the right to reject submissions and alter the terms and conditions of this program.