Guidelines

The bug bounty program is designed to incentivise and recognise contributions from the active DerpDEX community aimed at enhancing the platform. It is important to note that this program is not a competition and we emphasise that your testing activities should strictly adhere to legal guidelines. Under no circumstances should you violate any laws or compromise data that does not belong to you. Testing should be conducted solely on local running code locally to ensure the security and integrity of the DerpDEX platform.

Scopes

This program includes vulnerabilities and bugs in any deployed DerpDEX contract. These include those within the following Github repositories:

• Universal Router contract code

• Permit2 contract code

• Core contract code

• Periphery contract code

Nevertheless, if you uncover a flaw in a DerpDEX smart contract beyond these repositories that endangers user funds, the team will deem the problem as falling within the remit of our bounty program.

The following are not within the scope of the Program:

1. Third party contracts that are not under the direct control of DerpDEX

2. Issues already listed in the audits for the contracts above

3. Bugs in third party contracts or applications that use DerpDEX contracts

4. The DerpDEX dApp, web interface or other non contract related materials

Disclosure

1. Every bug or vulnerability detected should only be reported to this email address: hello@derpdex.com. Within a business day, DerpDEX will confirm the receipt of your report.

2. The discovered vulnerability should not be shared with any other individual, entity, or different email address prior to notifying DerpDEX, having the issue resolved, and receiving consent from DerpDEX for public exposure. Furthermore, this disclosure must be made within 24 hours upon identifying the vulnerability.

3. Submitting a thorough report of a vulnerability can increase the possibility of earning a reward, and may even enhance the reward value. We kindly ask you to provide as much detail as possible about the vulnerability, including:

   • The specific circumstances under which the bug can be replicated.

   • The sequence of actions required to reproduce the bug or, ideally, a proof of concept.

   • The potential consequences if the vulnerability were to be exploited.

4. Any individual who discloses a unique, not-yet-reported vulnerability leading to a modification in the code or a configuration adjustment, and maintains the confidentiality of the vulnerability until our engineers have addressed it, will have the option to be publicly credited for their contribution if they wish.

Eligibility

1. Find a new, non-public vulnerability that is unknown to our team and falls within the parameters of this Program.

2. Be the first to report this unique vulnerability to hello@derpdex.com, adhering to the given disclosure requirements.

3. Offer enough information that allows our engineers to replicate and address the vulnerability.

4. Refrain from exploiting the vulnerability in any manner, including making it public or profiting from it (excluding the reward provided under this Program).

5. Avoid publicizing a vulnerability in any manner, apart from confidential reporting to us.

6. Make a sincere effort to prevent privacy infringements, data destruction, disruption, or degradation of any of the in-scope assets.

7. Avoid submitting a vulnerability that is rooted in an issue for which a reward has already been granted under this Program.

8. Refrain from engaging in any illegal activities when reporting the bug to hello@derpdex.com, including making threats, demands, or utilizing any form of coercive tactics.

9. Be at least 18 years old or, if under 18, report the vulnerability with the approval of a parent or guardian.

10. Ensure you are not one of our present or past employees, or a vendor or contractor who has participated in the development of the bug-related code.

11. Abide by all eligibility criteria of the Program.

Other Terms

By forwarding your report, you confer upon DerpDEX all necessary rights, inclusive of intellectual property rights, to verify, counteract, and disclose the vulnerability. All determinations related to the rewards, including the qualifications for and amounts of the rewards, as well as the method of payment, rest solely at our discretion.

The stipulations and conditions of this Program can be modified at any given time.