# White-hat appreciation award In a bid to up the stake on its commitment to blue-ribbon security reviews, Hexens is launching a **$20,000 white-hat appreciation award** for the responsible disclosure of critical vulnerabilities discovered in bug bounty programs with assets in the same scope as those formerly audited by Hexens. ## Criteria All bug reports must be aligned with the following **rules** to be eligible for a white-hat appreciation award. 1. The **critical** **vulnerability**, defined as a vulnerability conducive to a major loss or permanent freeze of funds, must be identified in the **same** **scope** as the Hexens audit. 2. The scope must be listed as a **bug** **bounty** **program** on a bug bounty platform or the project domain. 3. The report must be confirmed to be **valid** by the project and cannot be a **duplicate** of a former report. 4. The bug bounty report must be submitted on **January 1, 2024 or later**. 5. Hexens must receive a copy of the **report** and the **proof of concept (PoC)**. 6. Hexens must recognize the bug as **critical**. 7. The security researcher must agree to submit to a **Know Your Customer (KYC) check**. 8. The project must be **active** at the time of submission of the report. For the avoidance of doubt, a project is defined as active when its main functionality is operational and no official statements announcing a freeze on its activities have been issued. 9. The **total value locked (TVL)** of the project’s assets must **equal or exceed $20,000**. 10. The project **payout** for the bug bounty must be **no less than $20,000**. {% hint style="warning" %} **Important notice**: Hexens reserves the right to a final say on the severity of a bug. Should a bug fail to meet Hexens’ critical severity criteria, the company shall provide a report to the hunter to support its decision without compromising the hunter’s position with the project. {% endhint %} The white-hat appreciation award shall be paid to the security researcher, not the project. To further promote a culture of responsible disclosure in Web3, Hexens stands ready to advocate your case with our clients should you find a critical bug that meets the above criteria without there being a bug bounty in place. To report a critical bug and try your hand at claiming your appreciation award, drop us a message at [**hexens.io**](https://hexens.io/) or on X at [**@hexensio**](https://twitter.com/hexensio). {% hint style="info" %} Got a question, or want to learn more? [Join our Community](https://discord.gg/remedy). {% endhint %} You can read about the history of how this award came to be in our blog [here](https://hexens.io/blog/white-hat-appreciation-award). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.r.xyz/main/bug-bounty/security-researchers/white-hat-appreciation-award.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.