Arbius values the independent security research community and believes that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users.

Please do NOT raise a GitHub Issue to report a security vulnerability. If you believe you have found a security vulnerability, please submit a report to [email protected] preferably with a proof of concept.

We ask that you do not use other channels or contact project contributors directly.

Non-vulnerability related security issues such as new ideas for security features are welcome on GitHub Issues.

We will provide security related information such as a threat model, considerations for secure use, or any known security issues in our documentation. Please note that labs and sample code are intended to demonstrate a concept and may not be sufficiently hardened for production use.

The Program includes vulnerabilities and bugs in any deployed Arbius contract, and the reference mining software.

Rewards will be allocated based on the severity of the bug disclosed and assets at risk. Rewards can be up to 100 AIUS for critical vulnerabilities, and up to 30 AIUS for high and medium vulnerabilities.

The following are not within the scope of the Program:

• Third party contracts that are not under the direct control of Arbius
• Issues already listed in the audits for the contracts above
• Bugs in third party contracts or applications that use Arbius contracts
• The Arbius DAPP, web interface or other non contract related materials

The Program includes the following 4 level severity scale:

• Critical Issues that could impact numerous users and have serious reputational, legal or financial implications. An example would be being able to lock contracts permanently or take funds from users.
• High Issues that impact individual users where exploitation would pose reputational, legal or moderate financial risk to the user.
• Medium The risk is relatively small and does not pose a threat to user funds or the network.
• Low/Informational The issue does not pose an immediate risk but is relevant to security best practices.

Rewards will be given based on the above severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of Arbius. You can find out more about this scale at the OWASP risk rating methodology page.