Bug Bounty

Find a real vulnerability in Hatch. Get paid.

Program activates at mainnet (Sprint C.7). Scope is stable; pre-mainnet reports accepted on best-effort via security@gohatch.fun.

Scope

In-scope

Out of scope

• Volumetric DoS (rate-limits are the intended defense).
• Spam, phishing, social-engineering against users.
• Self-XSS or attacks requiring victim to paste attacker scripts.
• Third-party infra (Vercel, Railway, Supabase) — report upstream.
• Clickjacking on pages without sensitive actions.
• Lack of best-practice headers (X-Content-Type-Options, etc.) without a demonstrable exploit.
• Missing rate limits on non-sensitive endpoints.
• Content spoofing on unauthenticated public pages.

Rewards

Paid in stablecoin within 14 days of fix confirmation. Duplicate reports pay the first confirmed submitter only.

What counts as critical

• Direct theft of user funds or treasury drain beyond HatchNest caps.
• Forged attestation that the contract accepts as valid.
• Admin bypass that lets an unauthenticated caller write to /v1/admin/*.
• RCE on the API server.

What counts as high

• EIP-191 signature bypass on enrollment (lets a non-creator enroll).
• Cross-tenant data leak (reading another creator's private data).
• Authenticated admin action executable by a non-admin.
• Attestation publisher publishing stubbed data (trust-rule violation).

What counts as medium

• Stored XSS in user-submitted fields.
• CSRF on authenticated actions.
• SSRF into private network.
• API rate-limit bypass.

What counts as low

• Reflected XSS requiring interaction.
• Leaked non-sensitive error details.
• Missing signatures on non-critical webhook deliveries.

Disclosure process

1. Submit. Email security@gohatch.fun with:

   • One-line summary
   • Impact (data/funds/reputation)
   • Reproducer — exact steps, request/response payloads, screenshots
   • Proposed CVSS severity
   • Your payment address (stablecoin wallet)

   PGP key: /.well-known/security.txt → Encryption field.

2. Triage. We acknowledge within 4 business hours. Severity classified within 24 hours. Reproduction confirmed within 72 hours.

3. Fix. We ship the fix. Request your confirmation that the fix holds. Publish an incident entry on /transparency with attribution (opt-in).

4. Pay. Stablecoin payout within 14 days of fix confirmation. Hall of fame listing on /bounty once the first reports land.

Safe harbor

We will not pursue legal action against researchers who:

• Act in good faith.
• Stay within scope.
• Don't exfiltrate data beyond what's necessary to demonstrate the issue.
• Don't target users with social engineering or phishing.
• Report privately and give us reasonable time to fix.

We'll coordinate with you on public disclosure timing.

Responsible research

• Respect rate limits. If a finding requires high volume to demonstrate, tell us and we'll provision a time-boxed test key.
• Don't scrape user data. Stop at "this bug exists" — don't mass- enumerate users' submissions.
• Don't attack live treasury. Even in scope, don't drain funds. Demonstrate the path; we'll reproduce in a controlled environment.
• Don't publicly disclose before we've fixed. 90 days max from report → disclosure.

What to include in a great report

• Impact first, reproducer second. Lead with "this lets an unauthenticated caller read every enrollment signature."
• Minimum viable reproducer. No pivoting through three unrelated bugs if one lands it.
• Suggested fix. Not required, but accelerates the payout timeline.
• Your bona fides. Prior reports, handle, whatever helps us calibrate.

Current status

• Program: inactive until mainnet (Sprint C.7).
• Pre-mainnet submissions welcome. Reviewed with a best-effort SLA; critical issues paid out early.
• Hall of fame: empty today. First report gets the top slot.

Questions? security@gohatch.fun. For anything non-security, see support.