Bug Bounty Rewards

Rewards are distributed according to the impact of the vulnerability based on the Vulnerability Classification System. Rewards for critical vulnerabilities are capped at 10% of economic damage, primarily focusing on the possible loss of funds controlled by FIO System contracts.

Payouts are handled by the Foundation and are denominated in USD. All payouts are done in FIO.

Level Payout
Critical Up to USD $100,000
High Up to USD $20,000
Medium Up to USD $5,000
Low Up to USD $1,000
None $0

Vulnerability Classification System

FIO classifies vulnerabilities on a 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

This scale encompasses all the aspects of a vulnerability, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

For example:

  • A bug that results in loss of funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.
  • A bug that can be triggered by any token holder is more severe than a bug that requires a block producer to go rogue.
  • A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.

The table below provides examples of the the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.

Sample Consequences to Smart Contracts/Blockchain:

Level Examples
5. Critical Empty or freeze protocol tokens (e.g. economic attacks, logic errors, integer over-/under-flow)
4. High Token holders temporarily unable to transfer tokens
Cryptographic flaws
3. Medium Users are temporarily unable to create transactions or use FIO features
2. Low Protocol returns inaccurate information, but on-chain data is not affected
1. None Best practices