• [ ] switch submit report to go to email
• [ ] which smart contract related issues do we want in scope and out of scope? (ask paxthemax)
• [ ] Specify smart contracts in scope (need to enumerate them) (find the right github repo?) (https://uniswap.org/bug-bounty for inspiration)
• [x] make TEC, Commons Stack vuln report page? (this means that we pay for those domains too) No
• [x] Should this program be for TEC and all sub services or just Giveth? Just Giveth
• [x] do we want an equivalent of the Amazon Private Program (hiring funnel for security researchers)? kinda
• [x] Do we need “other types of issues” section for non-vuln reporting?
• [x] Write SOP for responding to reports
• [ ] Do we need to state that we don’t work with sanctioned countries?
• [ ] Decide on [EDIT]s
• [ ] Take out TEC stuff
• [x] make email for submissions
• [ ] make bot for announcing incoming emails
• [ ] VyvyV can make a discord bota
• [ ] add new category for moving money
• [ ] what constitutes Compromise of GIV reserves
• [ ] Where does this page get posted? docs or on the app page

Our rewards are based on the severity of a vulnerability. Giveth uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of Giveth.

Issues may receive a lower severity due to the presence of compensating controls and context. The amounts shown in the table should be considered the maximum amounts for each severity level, though bonuses may be given at Giveth’s discretion.

Giveth Vulnerability Research Program (VRP) - Program Policy

Introduction

At Giveth, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any Giveth product, service, or site, please report it to us. You may report a vulnerability using the “Submit Report” link on this page. Reports that fall within scope of Giveth’s Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make Giveth more secure.

For vulnerabilities related to Token Engineering Commons (TEC), please visit the TEC Vulnerability Reporting Page.

What is VRP?

Giveth’s Vulnerability Research Program (VRP) is an initiative driven and managed by Giveth’s Information Security team.

Who Can Participate in the Program?

Giveth users and security researchers who discover a potential security finding within Giveth products or services can report it to the VRP program. Giveth employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).

How VRP Program Works

• Security researchers and customers of Giveth are encouraged to report any behavior impacting the information security posture of Giveth products and services.
• If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.
• Document your findings thoroughly, providing steps to reproduce and send your report to us. Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.
• We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.
• We will work with the affected teams to validate the report.
• We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.