The Metaplex Bug Bounty Program Guidelines

How to get started with the Metaplex Bounty Program:

1. Check the Security Tiering and Out of Scope sections below for the programs or domains that are within scope.
2. Familiarize yourself with the vulnerability types that are out of scope.
3. Perform your research/testing without impacting other users. (be nice!)
4. Report your in-scope vulnerability by including written code of the exploit and instructions for reproducing the vulnerability. Submissions without clear reproduction steps may be ineligible for a reward.
5. During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available. 
6. Once Metaplex has reproduced the vulnerability, you will become eligible to receive a reward in most cases.
7. All reward amounts are determined by the Severity Guidelines and Project/Program tiers.
8. When duplicates occur, we only award the first report that was received, provided that it can be fully reproduced.
9. You may publish write-ups about the vulnerability, however you must wait to publish until a fix has been confirmed by the Metaplex team. If you publish before a fix is confirmed you will be ineligible for a reward.

Questions or Submissions? Email bounty@metaplex.foundation

Severity Guidelines

Critical - Direct and immediate risk to a broad array of users. They often affect the low-level/foundational components of our application stacks or infrastructure. e.g.,

• Loss of funds
• Arbitrary code execution

High - Attackers can read or modify highly sensitive data or behaviors that they should not be able to access. Generally more narrow scope than critical issues when judged against broadness of impact or ease of exploitation. e.g.,

• Modify sensitive data like Token Metadata or Auction configuration
• Modify the ownership or permissions of sensitive data

Medium - Attackers can read or modify limited amounts of data or behaviors they are not authorized to access. Generally more narrow scope than high severity issues when judged against broadness of impact or ease of exploitation. e.g.,

• Circumventing the captcha for Candy Machine

Low - Attackers can access extremely limited amounts of data or behavior. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker.

When categorizing programs or libraries into tiers, the following inputs are considered:

1. The importance of a program to the Metaplex community ecosystem. The more a program is depended upon or used, the more likely a program will be considered in a higher security tier. The Token Metadata Program is an example of a core, widely depended upon program whereas the Gumdrop program would be considered less important.
2. The level of stability. The more stable, the more likely a program will be considered in a higher security tier.
3. The level of audit and review a program has undergone. An example, whether a program has been audited by a third party security professional, or whether the Metaplex DAO has voted the program forward by community governance.
   

The Metaplex Program Libraries can be found here. Only the latest versions of these programs deployed to mainnet are eligible.