# White-hat appreciation award

In a bid to up the stake on its commitment to blue-ribbon security reviews, Hexens is launching a **$20,000 white-hat appreciation award** for the responsible disclosure of critical vulnerabilities discovered in bug bounty programs with assets in the same scope as those formerly audited by Hexens.

## Criteria&#x20;

All bug reports must be aligned with the following **rules** to be eligible for a white-hat appreciation award.

1. The **critical** **vulnerability**, defined as a vulnerability conducive to a major loss or permanent freeze of funds, must be identified in the **same** **scope** as the Hexens audit.
2. The scope must be listed as a **bug** **bounty** **program** on a bug bounty platform or the project domain.
3. The report must be confirmed to be **valid** by the project and cannot be a **duplicate** of a former report.
4. The bug bounty report must be submitted on **January 1, 2024 or later**.
5. Hexens must receive a copy of the **report** and the **proof of concept (PoC)**.
6. Hexens must recognize the bug as **critical**.
7. The security researcher must agree to submit to a **Know Your Customer (KYC) check**.
8. The project must be **active** at the time of submission of the report. For the avoidance of doubt, a project is defined as active when its main functionality is operational and no official statements announcing a freeze on its activities have been issued.
9. The **total value locked (TVL)** of the project’s assets must **equal or exceed $20,000**.
10. The project **payout** for the bug bounty must be **no less than $20,000**.

{% hint style="warning" %}
**Important notice**: Hexens reserves the right to a final say on the severity of a bug. Should a bug fail to meet Hexens’ critical severity criteria, the company shall provide a report to the hunter to support its decision without compromising the hunter’s position with the project.
{% endhint %}

The white-hat appreciation award shall be paid to the security researcher, not the project.

To further promote a culture of responsible disclosure in Web3, Hexens stands ready to advocate your case with our clients should you find a critical bug that meets the above criteria without there being a bug bounty in place.

To report a critical bug and try your hand at claiming your appreciation award, drop us a message at [**hexens.io**](https://hexens.io/) or on X at [**@hexensio**](https://twitter.com/hexensio).

{% hint style="info" %}
Got a question, or want to learn more? [Join our Community](https://discord.gg/remedy).
{% endhint %}

You can read about the history of how this award came to be in our blog [here](https://hexens.io/blog/white-hat-appreciation-award).