Bug Bounty Program

We value the contributions of security researchers in helping us maintain the security of our platform. Our bug bounty program rewards researchers who responsibly disclose security vulnerabilities with SENSAY tokens.

1. In-Scope Vulnerabilities
  • Functional Errors
  • UI/UX Issues
  • Performance Problems
  • Localization and Accessibility Issues
  • Cross-browser Compatibility Issues
  • Mobile Responsiveness Problems
  • Incorrect or Missing Content
2. Out of Scope
  • Security vulnerabilities (report to security bounty program)
  • Suggestions for new features
  • Subjective design feedback
  • Issues caused by unsupported browsers or outdated versions
  • Non-reproducible issues
  • Bugs in third-party services
3. Reporting Requirements

Please follow these steps to report a functional, usability, or performance bug:

  1. Create a public post at https://sensay.canny.io/bugs describing the issue, steps to reproduce, screenshots, and/or videos.
  2. After posting to Canny, send an email to bugs@sensay.io that includes:
    • A link to your Canny post
    • Your contact information
    • Your ERC20 wallet address (for reward payment)

Note: Canny posts are fully public. Please avoid sharing private information there. Wallet details and other confidential information should only be sent via email.

4. Rewards

Rewards are paid in SENSAY tokens based on severity:

  • Critical: $250 – $2,500 equivalent
  • High: $100 – $1,000 equivalent
  • Medium: $50 – $500 equivalent
  • Low: $25 – $250 equivalent
5. Report Quality Multipliers

Final reward amounts are adjusted based on report quality:

  • Exceptional: 100% of base reward
  • Good: 80% of base reward
  • Adequate: 60% of base reward
  • Basic: 40% of base reward
  • Poor: 20% of base reward
6. Rules of Engagement
  • Do not test third-party services
  • Do not submit feature suggestions as bugs
  • Respect user privacy and data confidentiality
  • Follow responsible disclosure practices
7. Communication Policy
  • Initial Response: Within 10 business days
  • Status Updates: Every 20 business days

Please Note:
Excessive follow-ups or spam will negatively impact report quality scoring. Multiple unnecessary messages may reduce your final reward by up to 50%. One follow-up message per 10 business days is considered reasonable. Always reference your original report number/ID in any follow-up.

8. Eligibility
  • First reporter of a unique bug
  • Report must include all required information
  • Must provide a valid ERC20 wallet address
9. Contact

Send all reports to:
bugs@sensay.io
Thank you for helping keep Sensay secure!