Open source, on-chain protocols benefit from community member participation in testing and debugging the smart contracts. As the launch of version 2 of the Uniswap protocol (“Uniswap V2”) approaches, it is beneficial to formalize the program incentivizing those dedicated security engineers who can help make Uniswap V2 safer (the “Program”). The Program will bolster the professional audits and formal verification Uniswap V2 has undergone.
This Program is limited to the vulnerabilities affecting Uniswap V2 in the following contracts:
For purposes of the Program, bugs in Periphery Contracts will be considered less severe than those found in Uniswap V2 Core.
The following are not within the scope of the Program:
Vulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:
Front end bugs;
Severity of bugs will be assessed under the CVSS Risk Rating scale, as follows:
In addition to assessing severity, rewards will be considered based on the impact of the discovered vulnerability as well as the level of difficulty in discovering such vulnerability.
Prior to the deployment of Uniswap V2 to the Ethereum mainnet, which is expected to occur in May 2020, successful bug reporters will receive a 20% bonus on their bounty pay out. This is to incentivize hackers to come forward before launch.
Any vulnerability or bug discovered must be reported only to the following email: firstname.lastname@example.org; must not be disclosed publicly; must not be disclosed to any other person, entity or email address prior to disclosure to the email@example.com email; and must not be disclosed in any way other than to the firstname.lastname@example.org email. In addition, disclosure to email@example.com must be made promptly following discovery of the vulnerability. Please include as much information about the vulnerability as possible, including:
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution, if agreed.
To be eligible for a reward under this Program, you must:
All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
The terms and conditions of this Program may be altered at any time.