Siren recognizes the importance of contributor efforts to help keep the community and the use of the protocol safe.
Please note that this page only refers to the disclosure of software security-related issues.
A valid issue is one that demonstrates a software vulnerability that potentially exploits the protocol or its users. The Siren core developers and/or governance token holders will be the sole determiners of whether or not an issue is valid.
Siren does not authorize security research on other entities. Complying with the Security / Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:
Siren considers Social Engineering attacks against Siren contributors to be out of scope. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
In order to be deemed valid, a report must demonstrate a software vulnerability in code provided by Siren. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating findings and are therefore far more likely to be deemed valid.
A report must be a valid, in scope report in order to qualify for a bounty. Siren at its sole discretion, may award bounties for an amount to be determined on a case-by-case basis, based on severity of the vulnerability.
Siren reviews all findings that are reported via our Bug Bounty Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Siren will request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.
PLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or closure leading up to a resolution.
The Siren Bug Bounty program scope covers all software vulnerabilities in technology directly released by Siren. It does not cover third party services and/or utilities. Nor platforms and/or services that have integrated the protocol, which are subject to their own bug bounty and/or security-related responsible disclosure programs.
Additionally, all vulnerabilities that require or are related to the following are out of scope:
If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.
We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.