Meta Pool is an open source, community focused project, keeped by a core team that is launching upgrades and new products to the Meta Pool ecosystem.
This bug bounty program looks to support community members that discover vulnerabilities inside the Meta Pool ecosystem, that mainly affects on-chain operation.
Bug Severity Level
The bug severity level is the score assigned by the core team to the bugs found by community members. In order to get your bug scored we need to be able to reproduce it and find it is a real risk.
Critical: up to 25 000 points = $5,000 USD
High: up to 15 000 points = $3,000 USD
Medium: up to 10 000 points = $2,000 USD
Low: up to 2 000 points = $400 USD
Note: up to 500 points = $100 USD
Each point is valued to $0.2 USD, that can be claimed to the Meta Pool core team, it can be payed in $META, USDT or stNEAR tokens, depending on the availability of the treasury. Meta Pool team will proceed paying them at the end of each month. Payment would be done during the month after it is claimed.
I’ve Found a Bug, What Should I Do?
Stay calm and breath, we would take care of it, please follow the next steps:
Do double check that it is a real bug that is affecting Meta Pool, or one of its services. Ever taking care that the tests you are running will not affect other users.
Once you verify a bug is found, document it with more details as possible, including steps to reproduce, links, screenshots, github repositories, and any other detail that can be helpful to reproduce the bug.
Notify us through this form and avoid sharing it as public information, in order to prevent malicious people from exploiting the bug.
Once you notify us, the core team will reproduce the bug and score it according to the bug severity level.
Reports in which we are not interested include:
Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
Vulnerabilities affecting outdated or unpatched browsers.
Vulnerabilities in third party applications that make use of Meta Pool tokens.
Vulnerabilities publicly disclosed in third party libraries or technology used in Meta Pool products, services, or infrastructure earlier than 30 days after the public disclosure of the issue.
Vulnerabilities that have been released publicly prior to Meta Pool issuing a comprehensive fix.
Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter).
Issues that aren't reproducible.
Vulnerabilities that require an improbable level of user interaction.
Vulnerabilities that require root/jailbreak on mobile.
Missing security headers without proof of exploitability.
TLS Cipher Suites offered.
Suggestions on best practices.
Software version disclosure.
Any report without an accompanying proof of concept exploit.
Issues that we can't reasonably be expected to do anything about, such as issues in technical specifications that Meta Pool must implement to conform to those standards.
The output from automated tools/scanners.
Issues without any security impact.
Any other that the team considers.
Bug bounty program is an experimental collaboration between core team and community members, there is no explicit duty from Meta Pool team to pay the rewards if there is no bilateral agreement between parties.
Meta Pool reserves the right to close the Bug Bounty program at any time without previous notice. However please note that duties agreed bilaterally before that will be respected.