Security Bounty Program
We value the contributions of security researchers in helping us maintain the security of our platform. Our bug bounty program rewards researchers who responsibly disclose security vulnerabilities with $SNSY tokens.
1. In-Scope Vulnerabilities
SQL Injection
Cross-Site Scripting (XSS)
Remote Code Execution
Authentication Bypass
Insecure Direct Object References (IDOR)
Server-Side Request Forgery (SSRF)
Business Logic Vulnerabilities
Access Control Issues
Critical Information Disclosure
CORS Misconfigurations
2. Out of Scope
Theoretical vulnerabilities without proof
Social engineering attacks
DoS/DDoS attacks
Rate limiting issues
Missing security headers (unless exploitable)
Self-XSS
Clickjacking without clear impact
CSV injection
Known public security issues
Issues requiring physical access
Findings from automated tools w/o manual verification
Vulnerabilities in third-party services
3. Reporting Requirements
Please include the following in your report to http://bugs.report.sensay.io/:
Clear description of the vulnerability
Step-by-step reproduction steps
Proof of Concept (PoC)
Potential impact assessment
Suggested fix (if applicable)
Your contact information
Your ERC20 wallet address for reward payment
4. Rewards
Rewards are paid in $SNSY tokens based on severity:
Critical: $500 – $5,000 equivalent
High: $200 – $2,000 equivalent
Medium: $100 – $1,000 equivalent
Low: $50 – $500 equivalent
5. Report Quality Multipliers
Final reward amounts are adjusted based on report quality:
Exceptional (complete with PoC): 100% of base reward
Good (clear steps): 80% of base reward
Adequate (needs clarification): 60% of base reward
Basic (minimal detail): 40% of base reward
Poor: 20% of base reward
6. Rules of Engagement
Do not perform DoS testing
Do not access, modify, or delete data without permission
Do not perform DoS testing
Do not attempt physical security breaches
Do not test third-party services
Respect user privacy and data confidentiality
Follow responsible disclosure practices
7. Communication Policy
We value professional and respectful communication. To maintain an effective program:
Initial response will be sent within 5–10 business days
Status updates will be provided every 10 business days
Follow-up inquiries should only be sent if:
No response received within 10 business days
No status update received for more than 14 business days
You have critical additional information about the reported vulnerability
Please Note:
Excessive follow-ups or spam will negatively impact report quality scoring. Multiple unnecessary messages may reduce your final reward by up to 50%. One follow-up message per 10 business days is considered reasonable. Always reference your original report number/ID in any follow-up.
8. Eligibility
Report must include all required information
First reporter of a unique vulnerability
Must not have publicly disclosed the vulnerability
Must provide a valid ERC20 wallet address
9. Contact
Submit all reports at:
bugs@sensay.io
Thank you for helping keep Sensay secure!
