Eligibility & Responsible Disclosure

• Report bugs to us as quickly as possible and avoid public disclosure until a patch is available.
• Do not violate other users' privacy or access data beyond what is strictly necessary to prove the issue.
• Exploit only what is required to demonstrate the vulnerability and promptly return any assets obtained.

Rewards Policy

Eligibility for rewards: vulnerabilities enabling inflation or double-spend attacks.

Rewards are granted based on the severity and impact of the discovered vulnerability, as well as the clarity and usefulness of the submitted report. To qualify for a bounty, the issue must be real, demonstrable, and have a measurable effect on the protocol’s security or functioning.

To increase the reward:

• Clear, complete, and reproducible reports are evaluated with higher payouts.
• Providing an executable Proof of Concept (PoC) or a reliable reproducible test grants an additional 10% bonus on top of the base bounty.

Scope & Target

• The primary target is RGB consignment validation.
• Attacks that allow a malicious consignment to bypass the checks of an honest receiver are in scope.
• Provide either a malicious consignment (or the code that builds it) with a detailed explanation, or a test case that reproduces a scenario impossible without exploiting the bug.

Prize

Each valid and reproducible vulnerability rewards up to 10,000 USD. The team may grant extra bonuses for exceptional submissions that include deep technical analysis, dedicated test suites, or verified mitigation proposals.