# Flamingo Bug Bounty Program A **bug bounty program** is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs and vulnerabilities, especially those pertaining to security. The **Flamingo Bug Bounty Program** focusses on Flamingo’s smart contracts, website, and app, and aims to prevent: * Thefts and freezing of unclaimed yield of any amount (including frontend code injection attacks) * Thefts and freezing of principal of any amount (including frontend code injection attacks) * Website crashes * Access to admin accounts without authorization (Cloudflare accounts, service management cloud software, e-mails, etc.) * Smart contract hacks that lead to users losing funds * Smart contract hacks that lead to smart contracts malfunctioning * Smart contract exploits in general ## **Rewards by threat level** Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System](https://immunefi.com/severity-updated). This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All High and Critical Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required. Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of **$50,000 USD**. Payouts are handled by the **Flamingo Finance** team directly and are denominated in USD. However, payouts are done in **GAS**. Bug bounty rewards are as follows: ### **Smart Contracts and Blockchain Rewards** * Critical: **Up to $1,000,000 USD** * High: **$40,000 USD** * Medium: **$4,000 USD** * Low: **$1,000 USD** ### **Websites and Applications Rewards** * Critical: **$25,000 USD** * High: **$10,000 USD** * Medium: **$1,000 USD** ## **Scope** All web and/or app bug reports must come with a Proof of Concept (PoC) with an end-effect impacting an asset-in-scope in order to be considered for a reward. All **High** and **Critical** Smart Contract bug reports require a PoC to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required. Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of **$50,000 USD**. All payouts are handled by the **Flamingo Finance** team directly and are denominated in **USD**. However, payouts are paid in **GAS** tokens. ### **Assets in Scope** **Smart Contract — Official NEP17 Standard**\ **Smart Contract — FLM**\ **Smart Contract — Swap**\ **Smart Contract — Swap Pairs**\ **Smart Contract — Staking Vault**\ **Web/App — Main Web App**\ ### **Impacts in Scope** Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope. #### **Smart Contracts/Blockchain** * Smart contract hacks that lead to users losing funds * Smart contract hacks that lead to smart contracts malfunctioning * Smart contract exploits in general * Loss of user funds staked (principal) by freezing or theft * Theft of unclaimed yield * Freezing of unclaimed yield * Temporary freezing of funds for more than one day #### **Web/App** * Thefts and freezing of unclaimed yield of any amount * Thefts and freezing of principal of any amount * Website crashes * Access to admin accounts without authorization (Cloudflare accounts, service management cloud software, e-mails, etc.) ### **Out of Scope & Rules** The following vulnerabilities are excluded from the rewards for this bug bounty program: * Attacks that the reporter has already exploited themselves, leading to damage * Attacks requiring access to leaked keys/credentials * Attacks requiring access to privileged addresses (governance, strategist) #### **Smart Contracts and Blockchain** * Incorrect data supplied by third party oracles * Not to exclude oracle manipulation/flash loan attacks * Basic economic governance attacks (e.g. 51% attack) * Lack of liquidity * Best practice critiques * Sybil attacks * Centralization risks #### **Websites and Apps** * Theoretical vulnerabilities without any proof or demonstration * Content spoofing / Text injection issues * Self-XSS * Captcha bypass using OCR * CSRF with no security impact (logout CSRF, change language, etc.) * Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) * Server-side information disclosure such as IPs, server names, and most stack traces * Vulnerabilities used to enumerate or confirm the existence of users or tenants * Vulnerabilities requiring unlikely user actions * URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability) * Lack of SSL/TLS best practices * DDoS vulnerabilities * Attacks requiring privileged access from within the organization * Feature requests * Best practices #### **Prohibited activities** The following activities are prohibited by this bug bounty program * Any testing with mainnet or public testnet contracts; all testing should be done on private testnets * Any testing with pricing oracles or third party smart contracts * Attempting phishing or other social engineering attacks against our employees and/or customers * Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks) * Any denial of service attacks * Automated testing of services that generates significant amounts of traffic * Public disclosure of an unpatched vulnerability in an embargoed bounty ## Submit a Bug To submit a bug or learn more about Immunefi and the Flamingo Bug Bounty Program, please go to the [Immunefi Flamingo Bug Bounty Program](https://www.immunefi.com/bounty/flamingofinance/) page.