Bug Bounty Rules, Terms and Conditions
Please read these terms and conditions (these “Terms”), which form a legally binding contract between Polymath Inc. (“Polymath” or “us” or “our” in context) and qualifying individuals (“Participant” or “you” and “your” in context) who wish to participate in this bug bounty program (the “Program”) and identify vulnerabilities in our in-scope products (“Vulnerabilities”). Participants that submit acceptable Vulnerability Reports shall be eligible to earn a payout (a “Bounty Payout”), as determined solely at Polymath’s discretion, in accordance with these Terms.
These Terms include important clauses, including without limitation, instances where Participants may be liable to Polymath, a class action waiver, and other limitations of your rights and remedies. Disputes will be adjudicated solely in Ontario, Canada. By participating in the Program, all Participants must agree to be bound by these Terms and comply with these Terms. If an individual does not wish to, or cannot comply with these Terms, they are ineligible for a Bounty Payout and must not participate in the Program.
Polymath offers this Program as an initiative for our community members that are helping Polymath to improve its software.
The Program is not a competition. No fees are payable or purchase is necessary to participate in the Program. There is no guarantee that you will earn a Bounty Payout. The Program is provided “as-is”.
This Program is a discretionary initiative. Polymath, in its sole discretion, may modify these Terms at any time and may modify, restrict, suspend, terminate, or otherwise change any aspect of this Program, and/or the fulfillment of any Bounty Payouts at any time, as noted in Section 7 below.
You must meet the following criteria in order to be eligible to be a Participant:
- You must be either the legal age of majority in your country or at least 14 years of age with permission from your legal guardian that you may participate in the Program;
- When acting as a Participant, you are not violating any other agreement (i.e. employment agreement) to which you may be a party - we are not liable for any breach of such a third-party agreement by you and disclaim any knowledge of or responsibility for your conduct; and
- You are not listed under or resident in a country that is under a Barbados, US, Canadian, European Union, or United Nations embargo or sanctions list.
Polymath employees, contractors or representatives, or a family member of a Polymath employee, contractor or representative, are not eligible to participate in the Program.
These Terms are the entire agreement between you and Polymath for your participation in the Program and these Terms will supersede any prior agreement between you and us.
A Participant may be required to provide Polymath with proof of compliance and eligibility in the form requested in regards to any obligation of the Participant hereunder.
To set up the developer environment, and get started, please visit: https://github.com/PolymathNetwork/Polymesh
To submit a Vulnerability, you must complete and submit our Vulnerability Disclosure Form, found at: https://www.federacy.com/polymesh-bug-bounty-program (each such submission, a “Report”).
All Reports must comply with our Report requirements. You can find our Report requirements, Program processes and tips on submitting a Report, at: https://developers.polymesh.live/community/bug-bounty.
All feedback, unsolicited and solicited, Reports, and any materials that you submit to us as part of the Program are subject to the Intellectual Property, Grants, and Ownership rights in Section 8 below.
Polymath’s main product is blockchain related source code (located in our GitHub repositories, primarily at: https://github.com/PolymathNetwork/Polymesh) and any associated released binaries. Polymath’s websites or services are not part of the Program. Please see Exhibit A for the list of libraries and items within the scope of the Program. If you believe you have found a Vulnerability in Polymath’s blockchain related source code and associated released binaries that are within scope, we encourage you to let us know right away by submitting a Report. Before submitting a Report, please review these Terms, including our Responsible Investigation and Reporting requirements (section 2.2 below), Reward Details (in Exhibit B), and the Program Scope (in Exhibit A).
For you to participate in the Program, we require that you:
- Meet the eligibility requirements in section 1 above.
- Do not violate the privacy of other users and not engage in actions to cause disruptions to others, including (but not limited to) unauthorized access to or destruction of data.
- Do not violate any applicable laws or regulations.
- Do not share content that is offensive, inappropriate, graphic, or spam.
- Do not harm (by planting a vulnerability or introducing a virus or threat) or defraud Polymath or its users during your research; you should make a good faith effort to not interrupt or degrade our services.
- Do not target our physical security measures (attempts against Polymath property or data centers), or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
- Do not engage in attacks that consume a substantial amount of Kovan ETH, Kovan POLY, or Testnet POLYX which would be otherwise cost-prohibitive on mainnet.
- Do not exploit a Vulnerability that you discover for any reason other than for testing purposes.
- Do not introduce any intellectual property to us in any way to which you do not have a sublicense right;
- Report Vulnerabilities only to us and not to anyone else.
- Do not take credit for anyone else’s work in respect of a Report.
- Do not submit Reports that make use of information that is fraudulent, deceptive, forged, altered, incomplete, lost, late, misdirected, mutilated, illegitimate, incomprehensible, garbled, or generated by a macro, bot, or other automated means.
- Do not damage or cause interruption of the Program and/or prevent others from participating in or engaging in the Program.
- Comply with these Terms.
These Terms provide you with authorization to test our in-scope code and technologies (see 2.1 above and Exhibit A for in-scope and out-of-scope activities). These Terms DO NOT provide you authorization to intentionally access Polymath data, unauthorized access of another person’s data or engage in actions that are not permitted in section 2.2 above and are out-of-scope for purposes of the Program.
These Terms DO NOT provide authorization in respect of any third-party (i.e., a party other than Polymath or its affiliates) networks, systems, information, applications, products, or services.
Those who do not abide by these Terms and the instructions of Polymath and its representatives and provide all required information may, in Polymath’s sole discretion, be disqualified and any purported participation by such person deemed void. If a Participant attempts or succeeds in abusing the Program, Polymath may (in its sole discretion) disqualify such Participant from participation in this Program and pursue other remedial actions.
You should retain a copy of your Report and records of your participation. Polymath is not responsible for providing a copy or record of any element of your participation.
Polymath may offer features allowing Participants to publicly display certain information about their participation in this Program within a researcher profile, such as profile information, types of Vulnerabilities reported, and other statistics. If you choose to share your information through this feature, this information will be public and others may use it or share it with third parties. Polymath may also feature you or your Report in any commercially reasonable manner.
We use email and other electronic means to stay in touch with Participants. You agree that when you provide us your email address or personally identifying information (e.g. name, address) during or prior to access or involvement in the Program, you: (a) consent to receive communications from us in electronic formats, including via the email address you have submitted or other agreed upon contact methods; (b) can opt-out from receiving communication from us at any time; and (c) agree that these Terms, agreements, notices, disclosures and other communications that we provide to you electronically satisfy any legal requirement that such communications would satisfy if they were in writing and physically presented to you.
Public announcements regarding the Program will be made in the Polymath Developer Discord Channel. Notifications in connection with submitted Reports, Bounty Payouts, and your participation in the Program will be made by email using your email address provided. It is each Participant’s sole responsibility to receive and monitor those methods to timely receive, review, and respond as needed to notifications. Failure to timely respond or complete any of the steps set forth in the notification and verification procedures for any reason, including filtering or failure by Participant to notice or accept a communication from Polymath or its representative, may result in disqualification of such Participant from receiving the Bounty Payout. Polymath reserves the right to contact Participants for verification purposes and administration of the Program. All Polymath’s decisions are final and binding in all matters relating to the Program.
All notices provided to Polymath in relation to the Program shall be sent to firstname.lastname@example.org
Participants will receive Bounty Payouts upon satisfying criteria for such payouts on their Reports, subject to verification. See Exhibit B for current information regarding Bounty Payouts, including how Bounty Payouts are calculated (collectively, “Rewards Details”). We may change the Bounty Payouts and the manner in which they are calculated at any time. All Bounty Payout details not specified in these Terms (including Exhibit B) will be determined at Polymath’s sole discretion. Bounty Payouts are not the property of any Participant until such payouts are actually received by a Participant.
Bounty Payouts are paid in United States Dollars or USDC on Ethereum and shall be sent using the details provided by Participant as specified in Exhibit B. Polymath is not responsible for a Participant’s inability to accept or receive a Bounty Payout for any reason. We are not able to issue Bounty Payouts to Participants who are in violation of a material term of these Terms, including being on a sanctions list or that reside in countries on a sanctions list.
Any taxes (federal, national, state, prefectural, territorial, provincial, and/or local) and other costs and expenses associated with Bounty Payout acceptance or receipt will be the sole responsibility of the Participant. No more than the stated Bounty Payout will be awarded. Polymath will not replace any lost or stolen Bounty Payouts or any Bounty Payouts that are undeliverable or do not reach the Participant because of an incorrect or changed address or contact information. If a Participant does not accept the entire Bounty Payout, the unaccepted part of the Bounty Payout will be forfeited, and Polymath will have no further obligation with respect to that Bounty Payout or portion of the Bounty Payout. Participants are strictly prohibited from selling, auctioning, trading, or otherwise transferring their entitlements to Bounty Payouts. Polymath may be unable to make Bounty Payouts (for example, if prevented by a government or regulatory agency), impractical (e.g. excessive transfer costs, duties, or taxes), or impossible for Polymath to award to Participants who live in certain jurisdictions. Polymath reserves the right, but not the obligation, to cancel the payment of such Bounty Payout in such circumstance. Each Participant waives the right to assert as a cost of receiving any Bounty Payout any and all costs of verification and costs to claim the Bounty Payout and any liability and publicity which might arise from claiming or seeking to claim said Bounty Payout.
Participants may be required to respond to an initial notification from Polymath within forty-eight (48) hours and be required to provide necessary details so Polymath can make the Bounty Payouts.
Participant will be liable for and indemnify Polymath, its subcontractors, and their respective directors, officers, and representatives (“Polymath Indemnitees”) against any losses which Polymath Indemnitees may incur that arise from Participant’s breach of these Terms, including losses arising from Participants’ gross negligence, willful misconduct and breach of law.
In no event will Polymath be liable to you for any loss of use, revenue or profit or loss of data or for any consequential, incidental, indirect, exemplary, special, aggravated, or punitive damages whether arising out of breach of contract, tort (including negligence) or otherwise, regardless of whether such damage was foreseeable and whether or not Polymath had been advised of the possibility of such damages.
Notwithstanding anything else set out under these Terms, our cumulative liability to you under these Terms (apart from payment of Bounty Payout to which you may be entitled) shall be $10. Participant further waives all rights to have damages multiplied or increased.
This Program, these Terms, and any dispute arising under or related thereto (whether for breach of contract, tortious conduct, or otherwise) will be governed, construed, and interpreted under the laws of the Province of Ontario, Canada and the federal laws of Canada applicable therein, without reference or giving effect to its conflicts of law principles or rules that would cause the application of any other laws. Any legal actions, suits, or proceedings related to this Program (whether for breach of contract, tortious conduct, or otherwise) will be brought exclusively in the courts of the Province of Ontario and each Participant irrevocably accepts, submits, and consents to the exclusive jurisdiction and venue of these courts with respect to any legal actions, suits, or proceedings arising out of or related to this Program. You waive any and all objections to jurisdiction and venue in these courts and hereby submit to the jurisdiction of the courts of the Province of Ontario, Canada.
Except where prohibited, as a condition of participating in this Program, each Participant agrees that between the parties, any and all disputes, claims, and causes of action arising out of or connected with this Program, or the Bounty Payout awarded must be resolved individually, without resort to any form of class action.
Polymath reserves the right to modify, restrict, suspend, or otherwise change any aspect of the Program, and/or these Terms from time-to-time, for any reason, including any reason beyond Polymath’s control, and within its sole discretion, including without limitation, the manner in which Participants participate, the manner in which Bounty Payouts are calculated, with reasonable notice to Participants. If you have submitted any Vulnerability to us already, we will notify you of changes to these Terms via an email. The updated terms will always be available at https://developers.polymesh.live/community/bug-bounty-rules . The updated Terms will be effective as of the time of posting, or upon such later date as specified by Polymath. The updated Terms will apply to your participation in the Program beginning as of their effective date, or upon such later date, or by such other method as specified by Polymath. If you do not agree to such an amendment, you must cease your participation in the Program immediately. Except where exigencies require a shorter time frame, we reserve the right to terminate the Program completely by providing you with thirty (30) days’ notice of the impending termination.
We may terminate your engagement with us and any entitlement to any Bounty Payout if you violate any part of these Terms. Polymath reserves the right to restrict or void participation from any identifiable source if any suspicious participation is detected or any violation of these Terms is suspected or detected. Polymath reserves the right, in its sole discretion, to void the participation of any Participant who Polymath believes has attempted to tamper with or impair the administration, security, fairness, or proper execution of the Program. If Polymath determines at any time, in its sole discretion, that a Participant is engaging in behavior that Polymath deems obnoxious, deceptive, inappropriate, threatening, illegal or that is intended to annoy, abuse, or harass any other person, Polymath reserves the right to disqualify that Participant.
Sections 4, 5, 6, 8, 9, 10 and this clause shall survive termination of the Program.
We retain all intellectual property rights in our products including, without limitation, all our source code and associated related binaries. Nothing herein shall grant you any right in any part of our products, or any improvement or derivative in any Report you provide us. You agree that to the extent required to abide by these Terms, you will waive any and all rights that may otherwise accrue to you in any Report and agree that we will not be obliged to license back any derivative or improvements in any Report to you.
The Polymath Indemnitees are not responsible and/or liable for any of the following, whether caused by a Polymath Indemnitee, the Participant, or by human error: participation submitted by illegitimate means (such as, without limitation, by an automated computer program); any lost, late, incomplete, illegible, unintelligible, garbled, mutilated, or misdirected participation, email, mail, or Program-related correspondence or materials or postage-due mail; any error, omission, interruption, defect or delay in transmission or communication; viruses or technical or mechanical malfunctions; interrupted or unavailable cable or satellite systems; errors, typos, or misprints in these Terms, any Program-related advertisements, or other materials; failures of electronic equipment, computer hardware, or software; lost or unavailable network connections or failed, incorrect, incomplete, inaccurate, garbled or delayed electronic communications or participation information. Polymath Indemnitees are not responsible for electronic communications that are undeliverable or do not reach the Participant as a result of any form of active or passive filtering of any kind or insufficient space in a Participant’s email inbox to receive email messages. Polymath Indemnitees are not responsible, and may disqualify you, if your email address or other contact information does not work or is changed without prior written notice to Polymath. Without limiting any other provision in these Terms, the Polymath Indemnitees are not responsible or liable to any Participant (or any person claiming through such Participant) for failure to supply the Bounty Payout or any part thereof in the event that any of the Program activities or Polymath Indemnitees’ operations or activities are affected by any cause or event beyond the sole and reasonable control of the applicable Polymath Indemnitee (as determined by Polymath in its sole discretion), including, without limitation, by reason of any force majeure event, act of God, equipment failure, threatened or actual terrorist acts, air raid, act of public enemy, war (declared or undeclared), civil disturbance, insurrection, riot, epidemic, pandemic, public health crisis, fire, explosion, earthquake, flood, hurricane, unusually severe weather, blackout, embargo, labor dispute or strike (whether legal or illegal), labor or material shortage, transportation interruption of any kind, work slow-down, any law, rule, regulation, action, order, or request adopted, taken, or made by any governmental or quasi-governmental entity (whether or not such governmental act proves to be invalid), or any other cause, whether or not specifically mentioned above.
Polymath’s clock will be the official timekeeper for this Program. Polymath’s decisions will be final in all matters relating to this Program, including interpretation of these Terms and awarding of the Bounty Payouts.
Polymath’s failure or decision not to enforce any provision in these Terms will not constitute a waiver of that or any other provision. In the event there is an alleged or actual ambiguity, discrepancy, or inconsistency between disclosures or other statements contained in any Program-related materials and/or these Terms (including any alleged ambiguity, discrepancy, or inconsistency within these Terms), it will be resolved by Polymath in its sole discretion. Participants waive any right to claim ambiguity in the Program or these Terms.
The invalidity or unenforceability of any provision of these Terms will not affect the validity or enforceability of any other provision. In the event that any provision is determined to be invalid or otherwise unenforceable or illegal, these Terms will otherwise remain in effect and will be construed in accordance with their terms as if the invalid or illegal provision were not contained herein.
The following repositories, sources, and sites are in-scope of the Program:
In addition to the items listed in section 2.1 (Scope) of the Terms, the following repositories, sources and sites are out-of-scope of the Program:
You can elect to receive Bounty Payouts either via a wire-transfer (from USD to your preferred currency), or via USDC. For receiving a reward payout in USDC, we'll need your ETH address.
We will communicate with you over email, and need the following information in order to process a Bounty Payout:
- Participant Name
- Participant Address
- Phone Number
- Email Address
- Wire Information (Bank Name, Bank Address, Account Number, SWIFT Code)
- Crypto Address (for payment to be made in USDC)
Bounty Payouts are processed twice a month - on the 15th, and on the last day of the month, so expect the Bounty Payouts to reach you within 10 days from the closest upcoming processing date.
Please note that we can not issue Bounty Payouts to individuals, entities, or residents of countries that are listed in Canadian sanctions lists, Barbados sanctions lists, the U.S. Department of The Treasury Office of Foreign Assets Control (OFAC) sanctions list, European Union (EU) sanctions list or the United Nations (UN) Security Council sanctions list.
Here’s the classification of Bounty Payouts as per the severity of the Vulnerability reported:
|Severity||Description / Example||Reward|
(CVSS 9.0 - 10.0)
|Transaction manipulation /censorship, double-spending,|
POLY/POLYX minting, unauthorized token minting, staled
or undermined consensus/network, governance
censorship or compromise, manipulation of signing
keys or master keys to gain unauthorised access to
|USD 3000 - 5000|
(CVSS 7.0 - 8.9)
|Ability to use an extrinsic panic unexpectedly |
without proper handling, block the on-chain governance
system from its expected behaviour, block other users
from their ability to perform expected tasks (griefing).
|USD 1000 - 3000|
(CVSS 4.0 - 6.9)
|Ability to put chain data into an unexpected state which |
otherwise doesn't cause any disruption, forcing the
emission of events which are incorrect.
|USD 250 - 750|
(CVSS 00 - 3.9)
|DoS'ing of the operator nodes, incorrect data being |
logged through events.
|USD 100 - 300|
Where we receive multiple Reports about the same or similar Vulnerability, we will reward a Bounty Payout only for the first Report received. In addition, multiple Vulnerabilities that relate to one underlying Vulnerability will be treated as one Vulnerability and entitled to one Bounty Payout.