Bug Bounty Program
Last updated: 2026-05-28
In scope
- Testnet contracts on Arbitrum Sepolia:
- Plinth (margin engine)
- Vigil (liquidation engine)
- Coffer (ERC-4626 vault)
- Sigil (agent mandates)
- Aqueduct, Postern, Portico, Edict, Praetor
- Verify-app at
verify.useatrium.me - Codex API at
codex.useatrium.me - Tablet API at
tablet.useatrium.me(when behind auth)
Out of scope
- Front-end UI bugs without security impact
- Social engineering attacks
- Third-party services (Vercel, Cloudflare, Sentry)
- Theoretical risks already documented in
audits/ - Dependencies under
resources/(report upstream)
Severity matrix
Aligned with Immunefi severity classification.
| Severity | Examples | Reward |
|---|---|---|
| Critical | Fund loss, unauthorized admin access, contract takeover | $5,000 – $25,000 |
| High | Funds at risk (partial), privilege escalation | $1,000 – $5,000 |
| Medium | Information disclosure, denial of service | $250 – $1,000 |
| Low / Info | Best-practice violations, minor info leaks | Swag + hall-of-fame credit |
Funding
Bounty payments are funded from the Praetor treasury post-mainnet. During testnet, rewards are best-effort by the founding team with public hall-of-fame credit and swag for all valid disclosures.
Disclosure process
- 90-day responsible disclosure window.
- Report to security@useatrium.me.
- PGP encryption optional. See
runbooks/pgp-key-generation.md. - We acknowledge within 48 hours. Critical issues triaged same-day.
- Do not publicly disclose until the 90-day window expires or we publish a fix.
Hall of fame
Researchers who responsibly disclose are credited at /security/hall-of-fame.