Bug Bounty Program — Phase 1

Break it. Earn it. Help secure the agent economy.

SWARM runs a public bug bounty program. Find a vulnerability in our Solana programs, SDK, relay server, or website — get paid up to $15,000 in USDC. Full safe harbor for ethical researchers.

Submit a Report View Scope

Scope

What we pay bounties for, and what we don't. If you're unsure, email us first — we'd rather clarify than reject.

In scope

  • presale program (devnet)
  • swarm-token ($SWRM SPL)
  • agent-governance
  • agent-relay
  • agent-identity
  • anti-rug
  • proof-of-agent-work
  • vesting
  • staking
  • @swarm-protocol/agent-sdk
  • relay-server/server.js
  • https://myswarm.io (XSS, CSRF)

Out of scope

  • Social engineering
  • DoS on prod servers
  • Phantom / Solflare / RPC bugs
  • Third-party CPI targets
  • Known issues (see FOLLOWUP_QUEUE)
  • Theoretical issues without PoC
  • Mainnet exploitation
  • Gas optimization (no DoS path)
  • Missing NatSpec without exploit
  • Outdated forks

Severity & payouts

Payouts in USDC on Solana. Phase 1 cap per report is $15K (self-hosted pool). Phase 2 (Immunefi) raises caps to $30K+.

Critical

$5,000 – $15,000

Direct fund loss, program destruction, mint hijack, auth bypass on admin.

  • Signature bypass
  • Vault drain
  • Arbitrary mint

High

$1,000 – $5,000

Significant but recoverable harm. Feature-denial or partial fund lock.

  • Vote hijack (no fund theft)
  • Temporary fund lock
  • Reward drain capped

Medium

$250 – $1,000

Edge-case harm, non-fund leaks, read-only auth bypass.

  • IDOR on relay inbox metadata
  • Presale edge underflow

Low

$50 – $250

Hardening, defence-in-depth, minor UX security improvements.

  • Missing input validation
  • Log injection
  • Info disclosure

How to submit

All reports should be sent encrypted. Please include PoC on devnet.

Submit via PGP-encrypted email

Send to security@myswarm.io (placeholder — final address published at launch).

  1. Title — one-line summary
  2. Severity estimate — critical / high / medium / low
  3. Component — which program, endpoint, or page
  4. Impact — what an attacker can achieve
  5. PoC — reproducible steps or transaction hash (devnet)
  6. Suggested fix — optional but appreciated
  7. Your handle — for Hall of Fame (optional, pseudonymous OK)
-----BEGIN PGP PUBLIC KEY BLOCK----- [PGP key will be published at launch. Until then, email security@myswarm.io unencrypted only for initial contact — we'll exchange keys before PoC details.] -----END PGP PUBLIC KEY BLOCK-----

Response SLA

We respect your time. If we miss an SLA, you can publicly disclose without penalty after a 7-day grace period.

StageSLA
Acknowledge receipt72 hours
Triage & severity decision7 days
Critical fix deploy30 days
High fix deploy60 days
Medium / Low fix deploy90 days
Payout after verification30 days

Rules & safe harbor

01 — Safe harborWe will not pursue civil or criminal action against researchers acting in good faith within scope. You must not violate user privacy, disrupt services, or exploit beyond PoC.
02 — Responsible disclosure90-day embargo on public publication. Request early disclosure after fix + payout if you wish.
03 — Proof of impactWorking PoC on devnet or local validator required. No theoretical reports. Scanner output alone is not sufficient.
04 — No mainnet exploitationAny action beyond passive observation on mainnet voids your submission and safe-harbor protection.
05 — No blackmail / extortionDemands above our published max get the bug fixed anyway and the researcher banned.
06 — First reporter winsDuplicates after the first valid report get Hall-of-Fame credit only.
07 — One critical per researcher per 30 daysPrevents farming. Split submissions get consolidated.
08 — Independent contractorParticipation creates no employment relationship. Payouts are discretionary gifts, not wages.

Program phases

We scale the bounty pool as we scale the protocol. Today we're in Phase 1 (pre-mainnet, self-hosted).

Phase 1 — now

$15K

Self-hosted, pre-mainnet. Max $5K per critical. Focus: devnet programs + SDK + website.

Phase 2 — post-mainnet

$50K

Immunefi listing at mainnet launch. Max $30K per critical. Continuous coverage.

Phase 3 — TVL > $1M

$100K+

Scaled Immunefi pool tied to TVL. Max $50K+ per critical. Standing program.