Bug Bounty

Security is a first-class priority. This program rewards responsibly disclosed vulnerabilities across the Signet stack. Help us find and fix vulnerabilities across the Signet stack, from smart contracts to infrastructure to documentation.

Scope

Smart Contracts

• Passage, Rollup Passage, Transactor, Host Orders, Rollup Orders, Zenith, Permit2

• Impact: asset loss, unauthorized actions, state forgery, unexpected EVM behavior

Services

• builder, signet

• Impact: finality forgery, censorship, authentication bypass, data integrity failure, key leakage, asymmetric DDoS, cryptographic misuse

Libraries

• trevm, ajj, signet-sdk, bin-base, node-components, signet-infra-components

• Impact: forgery, data integrity, parsing bugs, cryptographic misuse

Infrastructure

• CI/CD pipelines, containers, signing services, secrets

• Impact: remote code execution, privilege escalation, key extraction

Dashboards & Faucets

• Block explorer, Pecorino Faucet

• Impact: data exfiltration

Docs & Config

• Documentation, Github

• Impact: misconfigurations or specs that materially change security posture

Rules of Engagement

• Test with your own accounts and funds only
• No destructive testing, safe PoCs only
• Coordinated disclosure, give us time to fix before publishing
• Respect rate limits (Pecorino L1 funds available on request)

Safe Harbor

Good-faith security research on in-scope assets is authorized. Follow this policy and we won’t pursue legal action under anti-hacking or anti-circumvention laws.

Rewards & Budget

Severity Tiers

Critical: up to $50,000

• Drain or freeze L1/L2 funds
• Finalize invalid state, forge state or finality
• Extract or compromise production keys

High: up to $20,000

• Censorship routes, indefinite censorship or censorship-escape bypass
• Authentication bypass
• Unauthorized privileged action
• Message replay or forgery under realistic conditions

Medium: up to $10,000

• Griefing with measurable loss (stuck funds, fee theft)
• Replay/ordering abuse
• Sensitive info disclosure enabling escalation
• Asymmetric DoS

Low: no payment

• Non-trivial best-practice gaps with theoretical impact
• Noisy but contained DoS requiring sustained traffic

Budget & Terms

• Quarterly budget: $50,000 for Medium and High (Critical has no cap)
• Duplicates: First valid report wins; related issues may be consolidated
• Quality bar: Working PoC or clear exploit path required for Medium+ severity
• Payment: Net-30 after validation (critical may be paid post-mitigation). USDC (Ethereum Mainnet) or USD. Tax documents may be required.

How to Report

Fill out the report template and submit via:

• Email (high/critical): security@init4.technology
• GitHub issue (medium/low): File on the relevant repo at Github

Test funds available via Pecorino faucet.

Triage & SLAs

• Acknowledgement: within 1 day
• Initial triage: within 4 days
• Fix targets: Critical ≤14 days, High ≤30 days, Medium-Low best effort
• Disclosure: Coordinated with reporter, case-by-case
• Updates: At meaningful milestones

Legal & Compliance

• No NDA required. You retain ownership of your report
• Do not access personal data or non-public keys. If you do: stop, report, delete
• Do not retain exploit data beyond what’s required for the report
• Rewards may be subject to sanctions/export rules
• Terms may evolve
• This is not legal advice

Publication & Recognition

• Addition to the Hall of Fame with tiers by severity
• Optional researcher write-ups may be published after fixes, with attribution

Get In Touch

Feedback? Reach us on @signetsh or security@init4.technology