Earnmos is formed by a professional team. Our developers typically conduct rigorous internal tests and evaluate blockchain contracts before deployment. Earnmos has also been audited by security organization BlockSec. However, in order to guarantee a top level security for your deposits, one can never be too careful. Never allow user funds to have any security issues. - this is a key Earnmos principle. That's why Earnmos has launched a bug bounty program. So come participate and get paid!
Vulnerability reports will be scored using the CVSS v3 standard. The reward amounts for different types of vulnerabilities are:
🚨 Critical (CVSS 9.0–10.0)
→ $5,000 - $50,000
⚠️ Major (CVSS 7.0–8.9)
→ $2,500 - $5,000
⚡ Medium (CVSS 4.0–6.9)
→ $1,000 - $2,500
🐛 Low (CVSS 1.0–3.9)
→ $500 - $1,000
Rewards will be awarded at the sole discretion of Earnmos Contributor Mining. Quality of the report and reproduction instructions can impact the reward. Rewards are paid out in Earnmos Treasury Token.
For this initial bug bounty program, there is a maximum bounty pool of $250,000.
The bug bounty program is ongoing and has been running since Earnmos launch.
Please responsibly disclose any findings to the development team, following these instructions:
- In order to report a vulnerability, please write an email to [email protected] with [SECURITY DISCLOSURE] in the subject of the email.
- We will make our best effort to reply in a timely manner and provide a timeline for resolution.
- Please include a detailed report on the vulnerability with clear reproduction steps. The quality of the report can impact the reward amount.
Failure to do so will result in a finding being ineligible for any bounties.
Issues which can lead to substantial loss of money, critical bugs like a broken liveness condition or irreversible loss of funds.
- Mismatch of the functionality of the contracts and outdated spec documents.
These are some examples of vulnerabilities that would be interesting:
- Stealing tokens or manipulating the token generation process.
- Locking or freezing any of the Earnmos contracts.
- Griefing attacks:
- Do the desired constraints on borrower operations hold?
Terms for eligible bounties:
- Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first report will be awarded the bounty.
- Public disclosure of the vulnerability, before explicit consent from Earnmos Team to do so, will make the vulnerability ineligible for a bounty.
- Attempting to exploit the vulnerability in a public network will also make it ineligible for a bounty.
- Provide enough information about the vulnerability.