Multichain
  • Getting Started
    • Introduction
      • Supported Chains
      • Supported Tokens
    • How it works
      • Cross-Chain Bridge
      • Cross-Chain Router
    • Governance Token
      • VeMulti
      • How to Convert ANY to MULTI
    • Security
      • Security model
      • Bug bounty (Immunefi)
      • Bug bounty (alternative)
    • How to Use
      • Fees
    • Road Map
    • FAQ
    • Careers
      • Front-end developer
      • Back-end developer
      • Test Engineer
      • Test Development Engineer
      • Security Engineer (Code Auditing)
      • Blockchain Development Engineer
      • Senior Content Editor
      • Event Manager
  • Listing and Integration
    • Token Listing
      • ERC20 Cross-chain Options
      • Difference between V2&V3
    • Chain Integration
      • EVM Networks Integration
      • Non-EVM Networks Integration
    • FAQ
  • Developer Guide
    • How to Integrate Front-end Router
    • Bridge API (Token list/Tx Status)
    • Scan API (Tx Status/Account History)
    • Token Router Testnet
    • anyCall V7
      • How to integrate anyCall V7?
      • API/Explorer
      • Quickstart (Cross-chain text example)
      • Estimate Fee/Pay Fees on destination chain
    • anyCall V6
      • How to integrate anyCall V6?
      • anyFallback
      • anyCall V6 Testnet Environments
      • Fees Paid on Source Chain
      • Context (Verify msg.sender)
    • $USDC CCTP X anyCall
      • Contract Addresses and example
    • anyCall NFT Bridge
    • Permissionless Token bridging
    • How to develop under Anyswap ERC20 standards
    • Bridge funds and anyCall (Router V7)
      • Mainnet
      • Testnet (Quick Start Example)
    • How to Integrate Front-end Bridges
Powered by GitBook
On this page
  • Reward
  • Scope
  • Submit
  • Conditions
  1. Getting Started
  2. Security

Bug bounty (alternative)

PreviousBug bounty (Immunefi)NextHow to Use

Last updated 2 years ago

Multichain encourages the community to review our code and security while we encourage responsible disclosure of any problems. We, therefore, roll out Bug Bounty Program (BBP) concurrently. The Program aims at recognizing the value of working with the community of independent security researchers and reflects our definition of credibility and your expectations to us in the process of identifying and reporting vulnerabilities. Through BBP, we encourage the discovery and reporting of any potential vulnerabilities in Multichain or possible vulnerabilities under new technologies in the future, so as to realize the long-term and continuous improvement and security enhancement of Multichain.

Reward

Multichain will provide considerable rewards for discovering and submitting vulnerabilities. The number of rewards is directly proportional to the severity and availability of vulnerabilities. Multichain will provide a reward of $500 to $1,000,000 for eligible discoveries under the terms provided below.

Scope

The main BBP scope includes the entire architecture of Multichain, as well as all currently deployed components, developer documents and listed assets and smart contract addresses. Smart contracts and applications built by third-party developers on the basis of Multichain are not included in the Program's reward scope. The BBP's scope also includes the potential vulnerabilities that have an impact on operations of https://multichain.org/ and provide liquidity.

Submit

Submit the vulnerabilities discovered to . Or submit it online via the Zendesk on Multichain official website. The submitted content needs to include clear and concise steps, including the reproduction of vulnerabilities in written or video format. Multichain will follow up immediately after confirmation.

For the correction plan concurrently submitted, once it is confirmed to be effective and finally adopted, the developers will receive more rewards.

Conditions

To win the Bug reward, you must:

  • Within the scope of Multichain BBP, identify and submit a previously undiscovered, non-public vulnerability.

  • Include adequate details in your disclosure to enable our engineers to quickly reproduce, understand and fix the vulnerability.

  • Report as an individual or, if employed by a company, submit the vulnerability with the written approval of the company.

  • Current or former employees of Multichain, vendors, contractors or employees of vendors and contractors will not be accepted.

  • Submissions inconsistent with the laws and regulations of the country where the submitter is located will not be accepted.

To encourage vulnerability research and avoid confusion between vulnerability submissions and malicious attacks, we ask you to:

  • Comply with the rules, including compliance with the terms and conditions of the Program and any other relevant agreement. In case of any contradiction between this procedure and any other relevant agreement, the terms of this procedure shall prevail.

  • Report any vulnerabilities you have discovered in a timely manner.

  • Avoid violating other's privacy, damaging our system, damaging data or damaging the user experience.

  • Do not release and disclose details of any vulnerabilities identified to others until they are fixed.

  • Perform tests only on systems within the scope and respect systems and activities out of the scope.

  • Interact only with the account you own or with the explicit permission of the account holder.

  • Blackmail, extortion or any other illegal act must not be engaged.

When working with us under this Program, you can expect us to:

  • Provide big rewards to eligible discoveries according to the vulnerability severity and availability on Multichain.

  • Multichain will not file any legal proceedings against anyone who threatens or follows BBP.

  • Work with you to learn and validate your reporting, including prompt preliminary responses to submissions.

  • Repair the vulnerabilities discovered in a timely manner.

  • If you are the first person to report unique vulnerabilities and your reporting triggers code or configuration changes, please acknowledge your contribution to our security improvement.

All award decisions, including eligibility and payment amount, are at Multichain sole discretion. Multichain reserves the right to refuse to submit and change the terms and conditions of the Program.

Please discuss vulnerabilities with us via . Or submit it online via the Zendesk on Multichain official website.

security@multichain.org
security@multichain.org