Bug Bounties

We provide generous bug bounties to those who find errors.

The DAO takes security extremely seriously, and reward whitehat bug finders with rewards based in some combination of KAP or USDC as outlined below.

Our smart contracts are based off of OpenZeppelin primitives with our own unique twist, and audited by both Halborn and Ackee. Our full-stack web apps are undergoing continuous pentesting by two different cybersecurity firms.

We rank bugs according to the CVSS scoring system. If you find a bug, you should immediately contact the moderators on Discord, who will direct you to the appropriate parties. We pay out bug hunter based on the severity of the bug, with the following payout schedule:

  • (0.1 - 1.0) Informational: Up to $250

  • (1.1 - 3.9) Low Risk: Up to $750

  • (4.0 - 6.9) Medium Risk: Up to $2,500

  • (7.0 - 8.9) High Risk: Up to $5,000

  • (9.0 - 10.0) Critical: Either up to $25,000 or 2.5% of the funds at risk of permanent loss

Payouts may be made either in USDC or in an equivalent amount of native KAP tokens, depending on treasury conditions at the time, and assuming that the individual who provided the information on the bug also assists in its resolution.

Contact us at bugs@kap.gg to place a bug report.

Last updated