Security Bounty Program

We value the contributions of security researchers in helping us maintain the security of our platform. Our bug bounty program rewards researchers who responsibly disclose security vulnerabilities with SENSAY tokens.

1. In-Scope Vulnerabilities
  • Cross-Site Scripting (XSS)
  • SQL Injection
  • Remote Code Execution
  • Authentication Bypass
  • Insecure Direct Object References (IDOR)
  • Server-Side Request Forgery (SSRF)
  • Business Logic Vulnerabilities
  • Access Control Issues
  • Critical Information Disclosure
  • CORS Misconfigurations
2. Out of Scope
  • Theoretical vulnerabilities without proof
  • Social engineering attacks
  • DoS/DDoS attacks
  • Rate limiting issues
  • Missing security headers (unless exploitable)
  • Self-XSS
  • Clickjacking without clear impact
  • CSV injection
  • Known public security issues
  • Issues requiring physical access
  • Findings from automated tools w/o manual verification
  • Vulnerabilities in third-party services
3. Reporting Requirements

Please include the following in your report to security@sensay.io:

  • Clear description of the vulnerability
  • Step-by-step reproduction steps
  • Proof of Concept (PoC)
  • Potential impact assessment
  • Suggested fix (if applicable)
  • Your contact information
  • Your ERC20 wallet address for reward payment
4. Rewards

Rewards are paid in SENSAY tokens based on severity:

  • Critical: $500 – $5,000 equivalent
  • High: $200 – $2,000 equivalent
  • Medium: $100 – $1,000 equivalent
  • Low: $50 – $500 equivalent
5. Report Quality Multipliers

Final reward amounts are adjusted based on report quality:

  • Exceptional (complete with PoC): 100% of base reward
  • Good (clear steps): 80% of base reward
  • Adequate (needs clarification): 60% of base reward
  • Basic (minimal detail): 40% of base reward
  • Poor: 20% of base reward
6. Rules of Engagement
  • Do not perform DoS testing
  • Do not access, modify, or delete data without permission
  • Do not attempt physical security breaches
  • Do not test third-party services
  • Respect user privacy and data confidentiality
  • Follow responsible disclosure practices
7. Communication Policy

We value professional and respectful communication. To maintain an effective program:

  • Initial response will be sent within 5–10 business days
  • Status updates will be provided every 10 business days
  • Follow-up inquiries should only be sent if:
    • No response received within 10 business days
    • No status update received for more than 14 business days
    • You have critical additional information about the reported vulnerability

Please Note:
Excessive follow-ups or spam will negatively impact report quality scoring. Multiple unnecessary messages may reduce your final reward by up to 50%. One follow-up message per 10 business days is considered reasonable. Always reference your original report number/ID in any follow-up.

8. Eligibility
  • First reporter of a unique vulnerability
  • Report must include all required information
  • Must not have publicly disclosed the vulnerability
  • Must provide a valid ERC20 wallet address
9. Contact

Send all reports to:
security@sensay.io
Thank you for helping keep Sensay secure!