DualDefence Audit — researchers' perspective
How to participate in DualDefence Audit
Please always read the rules for DualDefence Audit as they may differ from one to another.
Accepted reports:
In DualDefence Audit accepted only critical issues. All reports must include a full description of the vulnerability and PoC that can be used for re-testing this finding. Additionally, we recommend attaching images or a screen recording that shows your exploitation of the found issue. Our triage team will access your submission and forward it to the Auditor's team and the Client's team to verify the severity of your report.
As the process of reviewing can be quite lengthy it can take up to the last days of DualDefence Audit to get the final decision!
In case of valid 'critical' issues are found there is in place a reward distribution process:
Clear wording:
Bounty pool — the total amount of reward in the DualDefence Audit.
Allocated bounty — the amount of reward for each unique vulnerability reported.
The total bounty pool for the DualDefence Audit will be equally split among all unique issues reported.
Example: If three researchers identify the same vulnerability and also there are two other vulnerabilities submitted only once (total 3 unique issues reported) each vulnerability will get 1/3 of the bounty pool. Allocated bounty reward will be split between all researchers who submitted the same issue (where unique issues receive 1/3 of the pool and researchers will get 1/9 each of the initial reward pool).
Allocated bounty reward will be split between all researchers who submitted the same issue (where uniq issues receive 1/3 of the pool and researchers will get 1/9 each of the initial reward pool).
Single Valid Submission
Full Reward: If a critical vulnerability is found by only one participant, that reporter receives 100% of the bounty pool.
Duplicate Submissions
If multiple participants find the same vulnerability, the allocated bounty for that issue (bounty pool always equally split among all unique issues reported) is divided equally among all reporters. Example: If two researchers report the same vulnerability, each receives 50% of the allocated bounty. It can be 50% of the bounty pool if only one eligible issue was reported.
Multiple Unique Submissions
Split Based on the Uniqueness of issues reported:
Unique Issue 1: Found by one reporter.
Unique Issue 2: Found by another reporter.
Each will receive 50% of the bounty pool.
[DISCLAIMER] The reward amount will be denominated in tokens that are staked in FlashPool, due to market volatility, the final USD amount may differ from the one stated in the rules.
Good to do beforehand:
Complete your KYC
Create a wallet that can be used to claim rewards
Research the Audit details and infrastructure of the project in scope
Last updated