With a bug bounty program (the ”Program”), we invite the community members to research and discover security related bugs and vulnerabilities on The Space.
Rewards will be allocated based on the severity of the bug disclosed and evaluated and rewarded up to 1,953,000 $SPACE in 2022.
If you would like to report a vulnerability or have a question for us, please email us at [email protected].
Bounty hunting is a complicated profession. Happy hunting and stay safe!
The following are within the scope of the Program:
- Smart contracts developed or designed by The Space team (the “Team”);
- Assets and services under
*.thespace.gamedomains, e.g. The Space App, APIs;
The following are not within the scope of the Program:
- Bugs in any third party contract or platform that interacts with The Space contracts and apps;
- Any already-reported bugs or other vulnerabilities;
- Sybil attacks;
- DDoS attacks;
It’s also welcome to report any bug outside of this scope, we can help reach out to affected parties.
Any vulnerability or bug discovered must be reported to the Team via [email protected].
The vulnerability must not be disclosed publicly or to any other person, entity or email address before the Team has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:
- The conditions on which reproducing the bug is contingent.
- The steps needed to reproduce the bug or, preferably, a proof of concept.
- The potential implications of the vulnerability being abused.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by the Team will be recognized publicly for their contribution if they so choose.
Risk Scoring & Rewards
All submissions are evaluated by the Team on a case-by-case basis. The Program intends to follow a similar approach as the Ethereum Bug Bounty, where the severity of the issues will be based according to the OWASP Risk Rating Model based on “Impact” and “Likelihood”.
Risk Score = Impact * Likelihood
Likelihood \ Impact
Rewards are distributed according to the level of overall risk severity and circulating supply at the time of reporting.
Overall Risk Severity
Reward in Year 1
Reward in Year 4
7 to ≤9
Up to 0.5% of $SPACE circulating supply
Up to 1,953,000 $SPACE
Up to 5,000,000 $SPACE
5 to <7
Up to 0.1% of $SPACE circulating supply
Up to 390,600 $SPACE
Up to 1,000,000 $SPACE
3 to <5
Up to 0.05% of $SPACE circulating supply
Up to 195,300 $SPACE
Up to 500,000 $SPACE
1 to <3
0.01% of $SPACE circulating supply
We will decide, at our sole discretion, the level of reward based on the severity of the bug and the completeness of the submission.
To be eligible for a reward under this Program, you must:
- Discover a previously unreported, undisclosed vulnerability within the scope of this Program. Vulnerabilities must be distinct from the issues covered in the previously conducted publicly available audits;
- Be the first to disclose a specific vulnerability to the Team by the disclosure requirements below. If similar vulnerabilities are reported, the first submission shall be rewarded (if determined valid and otherwise in the scope of this Program);
- Possess sufficient technical knowledge and provide sufficient information necessary to reproduce and fix the vulnerability;
- Not engage in any unlawful or unauthorized conduct when disclosing the bug, including through threats, demands, or any other coercive tactics;
- Not exploit the vulnerability in any way, including by making it public or/and receiving any remuneration in exchange (other than a reward under this Program). Any publicity in any way, whether direct or indirect, relating to any bug or vulnerability will automatically disqualify it and you from the Program;
- Make best effort to avoid privacy violations, data destruction, interruption or degradation of The Space;
- Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities;
- Not submit a separate vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program;
- Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian;
- Not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors;
By submitting your report, you grant The Space any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
The Team reserves the right to modify or update the rules of the Program at anytime.