🚧 SportsPerp is currently live on devnet. Mainnet target: before Jun 12, 2026 (World Cup kickoff).
SecurityBug Bounty

Bug Bounty

Program status: launching at mainnet. The structure, reward tiers, scope, SLAs, and Safe Harbor language described on this page become binding when the formal program launches alongside mainnet deploy. Until then, the security email, PGP key, and disclosure workflow below are commitments-on-launch, not yet live — for pre-mainnet findings, please use the informal channel described in How to report a finding today.

Program structure (planned)

SportsPerp will operate a tiered bug bounty post-mainnet, with rewards scaling by severity and impact.

Reward tiers

SeverityReward range (USDC)What qualifies
Critical$50,000 – $250,000Loss of user funds, permanent freezing of positions, bypass of liquidation or insurance invariants, oracle consensus compromise
High$10,000 – $50,000Forced liquidation of positions that shouldn’t be liquidatable, insurance fund drainage, oracle manipulation that enables extractable value
Medium$2,500 – $10,000Logic bugs with limited impact, griefing that increases user costs, denial-of-service on specific features
Low$500 – $2,500Information leaks, non-security consistency issues, UX issues with security implications

Ranges, not fixed amounts. Actual reward depends on:

  • Exploitability — is it theoretical or demonstrable?
  • Impact — dollar value of funds at risk.
  • Mitigation difficulty — is there a clean fix, or does the bug indicate deeper architectural issues?
  • Report quality — a well-written report with a working proof-of-concept earns more than a vague claim.

Scope

In scope

  • The on-chain program at 6d4fSCD7mNy7aDNS2mXUxYpZjFFQKBKwAsM5kojKQA6h (devnet) and its eventual mainnet address.
  • The published @sportsperp/sdk — math parity issues, instruction-builder bugs, PDA derivation errors.
  • Off-chain services — oracle crank, oracle pusher, keeper, liquidator, monitor — where a bug affects on-chain settlement or enables extractable value.
  • Frontend — issues that result in user funds loss (wallet drainer patterns, broken transaction signing, etc.) qualify at the corresponding severity tier.
  • Infrastructure — compromise of the Hetzner server, admin keypair, Helius RPC, or similar qualifies but specific treatment depends on how it was discovered.

Out of scope

  • Known issues documented in the self-audit report (docs/SELF-AUDIT-REPORT.md) at Low or Informational severity. These have been accepted as non-blocking.
  • Gas optimization — not a security issue.
  • Rate-limiting improvements — not a security issue unless exploitable.
  • Social engineering / phishing attacks — out of scope for this bounty program.
  • Third-party services (our data partner, Helius, Vercel, Solana cluster itself) — we can’t pay for bugs we can’t fix.
  • Anything that violates our Terms of Service (when published) — testing that would require live attack on other users’ funds, bypassing geo-restrictions, etc.

How to report a finding today

The formal bug bounty program — including the dedicated security email, PGP key, and 24-hour acknowledgement SLA — launches with mainnet. Until then, please report findings via one of these channels:

  1. GitHub private vulnerability disclosure on the public repo (preferred for code-level findings).
  2. Encrypted Telegram DM to a team member (handles on the Official Links page once published).

A dedicated security@sportsperp.xyz mailbox with PGP key will be stood up at mainnet; until then, please do not rely on it for time-sensitive disclosures.

Do NOT:

  • Open a public GitHub issue for a security finding.
  • Post to Discord / Telegram public channels.
  • Attempt to exploit a finding on mainnet positions beyond what’s needed for proof-of-concept. Devnet testing is encouraged.

Responsible disclosure workflow (mainnet-launch SLAs)

These SLAs become binding when the formal program launches with mainnet:

  1. Report received. We acknowledge within 24 hours.
  2. Triage. Within 72 hours, we respond with an initial severity assessment and planned next steps.
  3. Coordination. We work with the reporter on a fix plan and disclosure timeline. For Critical issues, expect a 72-hour fix target; for High, 7 days; for Medium, 30 days; for Low, 90 days.
  4. Fix deployed. After deployment and verification.
  5. Public disclosure. The reporter and SportsPerp jointly publish a post-mortem after fix deployment plus a reasonable cooldown. Reporter is credited (or remains anonymous, their choice).
  6. Reward paid. Upon verification of the finding and fix.

Researcher rules

  • Do not publish the finding before the coordinated disclosure window expires.
  • Do not share the finding with third parties who could exploit it.
  • Do not attack live mainnet users to demonstrate a finding — use devnet for proof-of-concept.
  • Do not test against our production infrastructure (beyond normal user-facing interfaces) without prior coordination.
  • Follow local laws — we’re not in a position to indemnify reporters against their own jurisdiction’s rules.

Researchers who operate in good faith are protected — we won’t pursue legal action against someone who reports responsibly, even if their testing touched live systems within reasonable exploration bounds. Bad-faith actions (exfiltrating funds, publishing without coordination, extortion) obviously void all protections.

Safe Harbor

When the formal program launches, SportsPerp will publish a Safe Harbor statement that:

  • Guarantees no legal action against researchers who operate within program rules.
  • Specifies testing boundaries — what’s allowed without coordination, what requires prior notice.
  • Includes DMCA and computer-fraud-law exemptions within the program’s scope.

The Safe Harbor follows industry-standard templates (e.g., the Immunefi safe harbor).

Hall of Fame

Post-launch, a public Hall of Fame will credit researchers who have contributed findings, with:

  • Name / handle (optional)
  • Severity of finding
  • Date of disclosure

Researchers who prefer anonymity can decline credit without affecting their reward.

Notes on timing and funding

The bug bounty is funded from protocol treasury pre-token. Post-$SPERP-launch, a portion of protocol revenue is planned for ongoing bounty funding, so the program is sustainable long-term.

The $250K top tier reflects what we consider appropriate for a Critical finding that prevents loss of user funds before mainnet scales. As the protocol grows and more capital is at stake, the top-tier reward will scale proportionally — a $5M-TVL protocol’s Critical bug bounty is naturally smaller than a $500M-TVL protocol’s.

Further reading

AuditsSelf-Audit Summary