Bug Bounty Program

Security is one of our core values, and we value the input of hackers acting in good faith to help us maintain the highest standard for security at Vanilla. The Vanilla protocol, while it has gone through multiple professional audits, depends on new technology that may contain undiscovered vulnerabilities.

Vanilla encourages the community to audit our contracts and security; we also encourage the responsible disclosure of any issues. This program is intended to recognize the value of working with the community of independent security researchers, and sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

Scope

The Primary scope of the bug bounty program is for vulnerabilities affecting the on-chain Vanilla Protocol which currently includes only the following Ethereum Mainnet contracts:

• VanillaV1Router02 deployed at 0x72C8B3aA6eD2fF68022691ecD21AEb1517CfAEa6
• VanillaV1Token02 deployed at 0xbf900809f4C73e5a3476eb183d8b06a27e61F8E5
• VanillaV1MigrationState deployed at 0xB62726743Eec0573ec48457bDF02cB23F2387153
• VanillaV1Safelist01 deployed at 0x2d0338725b04533Bf4f6D2b4c56F008613679517

This list of addresses will change as the Vanilla Protocol evolves - as new contracts are taken into use or as existing contracts are displaced. Discovered vulnerabilities in any other contracts or deployments are excluded from the scope, including but not limited to:

• Same contracts deployed in other addresses or networks (like testnets)
• Other contracts in the Vanilla codebase (like test contracts)
• Third-party contracts or platforms that interact with the Vanilla Protocol contracts (like smart contract wallets or exchanges)

The Secondary scope of the program is for vulnerabilities in the Vanilla Interface code that could likely result in an unauthorized exploitation of the users of Vanilla Trading Interface, hosted at https://vanilladefi.com/trade.

Discovered vulnerabilities in any other user interfaces or third-party interface code are excluded from the Secondary scope, including but not limited to:

• Any Vanilla-integrating interfaces hosted outside the vanilladefi.com domain
• Any third-party software used with Vanilla Interface (like wallets)

Rewards

Vanilla offers substantial rewards for discoveries that can prevent the loss of assets, the freezing of assets, or harm to a user, commensurate with the severity, likelihood, and exploitability of the vulnerability. Vanilla will pay a reward of $500 to $10,000 for eligible discoveries in Primary scope, and up to $2500 for eligible discoveries in Secondary scope, according to the terms and conditions provided below.

Disclosure

Submit all bug bounty disclosures to security@vanilladefi.com. The disclosure must include clear and concise steps to reproduce the discovered vulnerability in either written or video format. Vanilla will follow up promptly with acknowledgement of the disclosure.

Terms and Conditions

To be eligible for bug bounty reward consideration, you must:

• Identify an original, previously unreported, non-public vulnerability within the scope of the Vanilla bug bounty program as described above.
• Include sufficient detail in your disclosure to enable our engineers to quickly reproduce, understand, and fix the vulnerability.
• Provide an Ethereum mainnet account address which is provably in your control, for reward transactions.
• Be at least 18 years of age.
• Be reporting in an individual capacity, or if employed by a company, reporting with the company’s written approval to submit a disclosure to Vanilla.
• Not be a current or former Vanilla employee, vendor, contractor, or employee of a Vanilla vendor or contractor.

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we require that you:

• Play by the rules, including following the terms and conditions of this program and any other relevant agreements. If there is any inconsistency between this program and any other relevant agreements, the terms of this program will prevail.
• Report any vulnerability you've discovered promptly.
• Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience.
• Use only security@vanilladefi.com to discuss vulnerabilities with us.
• Keep the details of any discovered vulnerabilities confidential until they are fixed.
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
• Only interact with accounts you own or with explicit permission from the account holder.
• Not engage in blackmail, extortion, or any other unlawful conduct.

When working with us according to this program, you can expect us to:

• Pay generous rewards for eligible discoveries based on the severity and exploitability of the discovery, at Vanilla’s sole discretion
• Work with you to understand and validate your report, including a timely initial response to the submission.
• Work to remediate discovered vulnerabilities in a timely manner.
• Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

All reward determinations, including eligibility and payment amount, are made at Vanilla’s sole discretion. Vanilla reserves the right to reject submissions and alter the terms and conditions of this program.