Bug bounty
Homepage RVSS Calculator Community

White-hat appreciation award

In a bid to up the stake on its commitment to blue-ribbon security reviews, Hexens is launching a $10,000 white-hat appreciation award for the responsible disclosure of critical vulnerabilities discovered in bug bounty programs with assets in the same scope as those formerly audited by Hexens.

Criteria

All bug reports must be aligned with the following rules to be eligible for a white-hat appreciation award.

  1. The critical vulnerability, defined as a vulnerability conducive to a major loss or permanent freeze of funds, must be identified in the same scope as the Hexens audit.

  2. The scope must be listed as a bug bounty program on a bug bounty platform or the project domain.

  3. The report must be confirmed to be valid by the project and cannot be a duplicate of a former report.

  4. The bug bounty report must be submitted on January 1, 2024 or later.

  5. Hexens must receive a copy of the report and the proof of concept (PoC).

  6. Hexens must recognize the bug as critical.

  7. The security researcher must agree to submit to a Know Your Customer (KYC) check.

  8. The project must be active at the time of submission of the report. For the avoidance of doubt, a project is defined as active when its main functionality is operational and no official statements announcing a freeze on its activities have been issued.

  9. The total value locked (TVL) of the project’s assets must equal or exceed $20,000.

  10. The project payout for the bug bounty must be no less than $20,000.

Important notice: Hexens reserves the right to a final say on the severity of a bug. Should a bug fail to meet Hexens’ critical severity criteria, the company shall provide a report to the hunter to support its decision without compromising the hunter’s position with the project.

The white-hat appreciation award shall be paid to the security researcher, not the project.

To further promote a culture of responsible disclosure in Web3, Hexens stands ready to advocate your case with our clients should you find a critical bug that meets the above criteria without there being a bug bounty in place.

To report a critical bug and try your hand at claiming your appreciation award, drop us a message at hexens.io or on X at @hexensio.

Got a question, or want to learn more? Join our Community.

You can read about the history of how this award came to be in our blog here.

PreviousLeaderboardNextFrequently asked questions

Last updated