STONKBULLZ Bug Bounty Program

Help us maintain the highest security standards for STONKBULLZ and our users. Report valid security vulnerabilities through our Bug Bounty Program and get rewarded for your expertise.

Our Commitment to Security

The security and integrity of the STONKBULLZ platform and the protection of our users' assets are paramount. We implement a comprehensive, multi-layered security strategy and conduct continuous monitoring and internal testing. However, we highly value the contributions of the global security research community in identifying potential vulnerabilities.

Our Bug Bounty Program is an invitation to security researchers to help us identify and remediate potential security weaknesses. We are committed to working with the community to ensure a swift and effective response to any valid findings.

Scope of the Program

This program covers security vulnerabilities found in the following STONKBULLZ assets:

  • Main trading platform: www.stonkbullz.com and its primary subdomains (e.g., app.stonkbullz.com, api.stonkbullz.com).
  • Official STONKBULLZ mobile applications for iOS and Android (latest versions available on official app stores).
  • Publicly accessible API endpoints (REST & WebSocket).
  • STONKBULLZ-owned smart contracts that are actively deployed and manage user funds (specific contract addresses will be listed on a dedicated bounty platform page if applicable).

Examples of In-Scope Vulnerabilities:

  • Cross-Site Scripting (XSS) on user-facing interfaces.
  • SQL Injection (SQLi).
  • Server-Side Request Forgery (SSRF).
  • Authentication or Authorization flaws (e.g., privilege escalation, session hijacking).
  • Remote Code Execution (RCE).
  • Significant business logic flaws that could lead to financial loss or data compromise.
  • Vulnerabilities in our smart contracts that could lead to loss of funds.

Out of Scope:

  • Theoretical vulnerabilities without a practical exploit scenario.
  • Denial of Service (DoS/DDoS) attacks. Distributed Denial of Service (DDoS) attacks.
  • Social engineering (e.g., phishing, vishing, pretexting) of STONKBULLZ staff or users.
  • Physical attempts against STONKBULLZ property or data centers.
  • Vulnerabilities in third-party applications or services that STONKBULLZ uses but does not directly control (e.g., a vulnerability in a cloud provider's infrastructure).
  • Missing security headers or best practices that do not lead to a direct, exploitable vulnerability (e.g., missing HSTS, weak SSL ciphers, unless a practical attack can be demonstrated).
  • Self-XSS that cannot be used to attack other users.
  • Issues related to rate limiting, brute-force attacks on login/password reset without demonstrating a bypass or severe impact.
  • Content spoofing and text injection issues without being able to modify HTML/CSS.
  • Reports from automated scanners without manual verification and proof of exploitability.

Reward Tiers

Bounties are awarded based on the severity (CVSS score, or similar methodology) and demonstrable impact of the vulnerability. The final reward amount is at the sole discretion of the STONKBULLZ security team.

Critical

Up to $10,000+

(e.g., RCE, significant fund loss)

High

$2,000 - $7,500

(e.g., XSS on sensitive pages, SSRF)

Medium

$500 - $1,500

(e.g., Stored XSS on less sensitive pages, some auth flaws)

Low

$100 - $400

(e.g., Minor information disclosure, UI redressing)

Rewards are typically paid in stablecoins (USDT/USDC) or STONKBULLZ Token (SBZ) at our discretion.

Submission Guidelines & Responsible Disclosure

To be eligible for a bounty, you must adhere to our responsible disclosure policy:

  1. Submit your findings exclusively to security@stonkbullz.com with the subject "Bug Bounty Submission: [Brief Description of Vulnerability]".
  2. Provide a detailed report including clear, concise steps to reproduce the vulnerability. Include screenshots, videos, scripts, or PoC code where applicable.
  3. Explain the potential impact of the vulnerability.
  4. Do not publicly disclose the vulnerability before STONKBULLZ has had a reasonable time to investigate and remediate it (typically 90 days, but may vary). We will coordinate disclosure with you.
  5. Do not attempt to access, modify, or exfiltrate non-public data belonging to STONKBULLZ or its users. Limit your testing to your own accounts or test accounts.
  6. Do not engage in any activity that could disrupt or degrade STONKBULLZ services (e.g., DoS, spamming).
  7. Violation of these guidelines may result in ineligibility for a bounty and potential legal action.

What to Expect After Submission

  • We will acknowledge receipt of your report, typically within 3 business days.
  • Our security team will investigate the reported vulnerability. We may contact you for clarification or additional information.
  • We will notify you of our findings and, if the vulnerability is valid and in scope, determine the bounty amount.
  • We will work to remediate the vulnerability and coordinate public disclosure if appropriate.

We appreciate your efforts in helping make STONKBULLZ a more secure platform for the entire crypto community. Your contributions are invaluable.