# Bug Bounty

#### Program Overview <a href="#program-overview" id="program-overview"></a>

This bug bounty is specifically for Tagomi's smart contract code; client / UI only bugs are omitted.

Tagomi's smart contract is open-source(opens in a new tab).

| **Severity** | **Description**                                                                                                     | **Bug Bounty**                                               |
| ------------ | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
| Critical     | Bugs that freeze user funds or drain the contract's holdings or involve the theft of funds without user signatures. | 10% of the value of the hack up to $500,000.                 |
| High         | Bugs that could *temporarily* freeze user funds or incorrectly assign value to user funds.                          | $10,000 to $50,000 per bug, assessed on a case-by-case basis |
| Medium/Low   | Bugs that don't threaten user funds                                                                                 | $1,000 to $5,000 per bug, assessed on a case-by-case basis   |

The severity guidelines are based on [Immunefi's classification system(opens in a new tab)](https://immunefi.com/severity-updated/).

Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.

#### Submission <a href="#submission" id="submission"></a>

Please email <hello@drift.trade> with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach back out in 1 business day with additional questions or the next steps on the bug bounty.

#### Bug Bounty Payment <a href="#bug-bounty-payment" id="bug-bounty-payment"></a>

Bug bounties will be paid in USDC. Alternative payment methods can be used on a case-by-case basis.

#### Invalid Bug Bounties <a href="#invalid-bug-bounties" id="invalid-bug-bounties"></a>

The following are out of scope for the bug bounty:

* Attacks that the reporter has already exploited themselves, leading to damage
* Attacks requiring access to leaked keys/credentials
* Attacks requiring access to privileged addresses (governance, admin)
* Incorrect data supplied by third-party oracles (This does not exclude oracle manipulation/flash loan attacks)
* Lack of liquidity
* Third-party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts)
* Best practice critiques
* Sybil attacks
* Attempted phishing or other social engineering attacks involving Tagomi contributors or users
* Denial of service, or automated testing of services that generate significant traffic.
* Any submission violating Immunefi's rules

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://tagomisystems.gitbook.io/tagomi-docs/tagomi-1/security/bug-bounty.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.