Welcome to our Bug Bounty Program. We want Aave protocol to be the best it can be, so we’re calling on our community to help us find any bugs or vulnerabilities. Submit a bug here and earn a reward of up to USD 250,000$. Please see our Rules & Rewards sect
Rules & Rewards
Public disclosure of a vulnerability would make it ineligible for a reward.
Submissions needs to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
Technical knowledge is required for the process.
Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission process unvalid.
Duplicated issues are not eligible for reward. The first submission would be the eligible one.
Terms and conditions of the bug bounty process may vary over time.
If you want to add more information to a provided issue, create a new submission giving reference to the initial one.
Our bug bounty follows a similar approach as Ethereum Bug Bounty. The severity of the issues will be based according to the OWASP risk rating model based on Impact and Likelihood.
Rewards will be decided on a case by case basis and the bug bounty program, terms, and conditions are at the sole discretion of Aave.
It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be elegible for a reward.
Rewards will vary depending on the severity of the issue. Other variables considered for rewards include: the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Aave.
The reward will be received in aUSDC token
based on the severity scheme following:
up to $ 100
up to $ 500
up to $ 1,000
up to $ 5,000
up to $ 100
up to $ 50,000
up to $ 250,000
Almost certain
$ 1,000
$ 5,000
$ 10,000
$ 50,000
$ 250,000
Likely
$ 500
$ 1,000
$ 5,000
$ 10,000
$ 50,000
Possible
$ 100
$ 500
$ 1,000
$ 5,000
$ 10,000
Unlikely
$ 100
$ 100
$ 500
$ 1,000
$ 5,000
Almost possible
$ 100
$ 100
$ 100
$ 500
$ 1,000
Severity
Very low
Low
Moderate
High
Severe
Almost certain
$ 1,000
$ 5,000
Likely
$ 500
$ 1,000
Possible
$ 100
$ 500
Unlikely
$ 100
$ 100
Almost possible
$ 100
$ 100
Severity
Very low
Low
Almost certain
$ 10,000
$ 50,000
$ 250,000
Likely
$ 5,000
$ 10,000
$ 50,000
Possible
$ 1,000
$ 5,000
$ 10,000
Unlikely
$ 500
$ 1,000
$ 5,000
Almost possible
$ 100
$ 500
$ 1,000
Severity
Moderate
High
Severe
The bug bounty will be applicable for the
following repositories, sources and sites:
Additional references to help during the
bug finding process:
Critical
An issue that might cause immediate loss of > 10% of the funds, or permanent impairment of the protocol state.
An issue that might cause immediate loss of > 10% of the funds, or severely damage the protocol state.
Medium
An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.
An issue that might cause immediate loss of > 10% of the funds, or severely damage the protocol state.
While researching, we’d like to ask you
to refrain from:
Denial of service
Spamming
Social engineering (including phishing) of Aave staff or contractors
Any physical attempts against Aave property or data centers
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted unde
Please report the bug you found via this form. Try to be as specific and clear as possible when you fill out this form. We will be in touch as soon as possible after receiving the form.
Feel free to contact us through our live chat, or email at: wecare@aave.com
We are also available in our discord channel.
Discord Channel
Only interesting news about cryptocurrency.
