Bug Bounty

Deprecation Warning: This Repo is no longer the bounty program. Please submit a bug through our community driven bug bounty program on Immunefi.

Overview

The security of Aave V3 users is paramount. For that reasons, starting on March 16, 2022, the Aave Protocol V3 (”Aave V3”) core repository is subject to the Aave Protocol V3 Bug Bounty (the “Program”). The Program enables community members to submit reports of “bugs” or vulnerabilities for a chance to earn rewards. The Program aims to incentivise responsible disclosure and enhance the security of Aave V3.

Rewards will be allocated based on the severity of the bug disclosed and evaluated and rewarded up to USD $250,000.

The scope, terms and rewards at the sole discretion of the team (the “Team”).

Scope

The Program includes the vulnerabilities and bugs in the Aave Protocol v3 core repository (located in the GitHub repositories, primarily at: aave/aave-v3-core).

The following are not within the scope of the Program:

• Bugs in any third party contract or platform that interacts with Aave V3;
• Vulnerabilities related to domains, DNS or servers of websites;
• Vulnerabilities already reported and/or discovered in contracts built by third parties on Aave V3;
• Any already-reported bugs or other vulnerabilities.

Determinations of eligibility, score and all terms related to rewards and their payment are at the sole discretion of the Team.

Eligibility

To be eligible for a reward under this Program, you must:

• Discover a previously unreported, non-public vulnerability within the scope of this Program. Vulnerabilities must be distinct from the issues covered in the previously conducted publicly available audits.
• Be the first to disclose the unique vulnerability to the Team by the disclosure requirements below. If similar vulnerabilities are reported, the first submission shall be rewarded (if determined valid and otherwise in the scope of this Program).
• Possess sufficient technical knowledge and provide sufficient information necessary to reproduce and fix the vulnerability.
• Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
• Not exploit the vulnerability in any way, including by making it public or obtaining a profit (other than a reward under this Program). Any publicity in any way, whether direct or indirect, relating to any bug or vulnerability will automatically disqualify it and you from the Program.
• Make a good faith effort to avoid privacy violations, data destruction, interruption or degradation of Aave V3.
• Submit only one vulnerability per submission unless you need to chain vulnerabilities to impact any vulnerabilities. If you want to add more information to a provided issue, create a new submission referencing the initial one.
• Not submit a separate vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
• Not be one of our current or former employees, vendors, service providers, or contractors or an employee of any of those vendors or contractors or an immediate family (parent, sibling, spouse, or child) or household member of such person.
• Not be subject to any international, national or state level sanctions.
• Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.

Disclosure

Any vulnerability or bug discovered must be reported to the Team via security@aave.com. The disclosure must be made within 24 hours following the discovery of the vulnerability and, as noted above, not have been exploited in any way prior to disclosure or publicized or disclosed to any third party (other than the Team) prior to not only submission of the report, but also fixing of the bug / vulnerability.

It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be eligible for a reward.

Rewards

All submissions are evaluated by the Team on a case by case basis. Rewards are allocated based on the severity of the issue, and other variables, including, but not limited to a) the quality of the issue description, b) the instructions for reproducibility, and c) the quality of the fix (if included). A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Therefore, please provide as much information about the vulnerability as possible.

The Program intends to follow a similar approach as the Ethereum Bug Bounty, where the severity of the issues will be based according to the OWASP risk rating model based on “Impact” and “Likelihood”. The evaluation on scoring is however at the sole discretion of the Team.

All rewards are paid in USDC via a transfer to the wallet address provided by the participant to the Team. The reward can’t be exhanged into other crypto assets or fiat. As a condition of participating in this Program, the participants give Company the permission to share their wallet address and other information provided by them to third parties for the purpose of administering this Program and complying with applicable laws, regulations, and rules.

The reward will be received in USDC token based on the following severity scheme:

Note = Up to 100 USDC

Very low = Up to 500 USDC

Low = Up to 1,000 USDC

Medium = Up to 5,000 USDC

High = Up to 10,000 USDC

Very High = Up to 50,000 USDC

Critical = Up to 250,000 USDC

Other terms

The decisions made regarding rewards are final and binding.

By submitting your report, you grant the Company any and all rights, including without limitation intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and how such rewards will be paid, are made at sole discretion of the Company.

Terms and conditions of the Program may be altered at any time. Company may change or cancel this Program at any time, for any reason.