Bug Bounty

Find a real vulnerability, get paid. Rewards scale with severity and impact on user funds, verified attestations, or Hatcher reputation.

Program activates at mainnet (Sprint C.7). Scope below is stable; pre-mainnet reports are accepted on a best-effort basis via security@gohatch.fun.

Rewards

Critical$25,000 — $150,000
High$5,000 — $25,000
Medium$1,000 — $5,000
Low$250 — $1,000

Rewards are paid in stablecoin within 14 days of fix confirmation. Duplicate reports pay the first confirmed submitter only.

In scope

HatchAttest, HatchNest, Hatcher, HatchRegistry contracts on BNB mainnet.
Public API (`api.gohatch.fun/v1/*`) — auth, rate-limiting, SSRF, injection.
Hatch.fun web surfaces — XSS, CSRF, auth bypass, admin cookie handling.
EIP-191 enrollment signatures, admin bearer flow, API-key issuance + rotation.

Out of scope

Volumetric DoS against public endpoints — rate limits are the intended defense.
Spam, phishing, or social-engineering attacks against users.
Self-XSS or attacks requiring the victim to paste attacker-controlled scripts.
Third-party infra (Vercel, Railway, Supabase) — report upstream.

Disclosure process

01
Submit
Email security@gohatch.fun with a reproducer, impact, and affected component. PGP key is in /.well-known/security.txt.
02
Triage
We acknowledge within 4 business hours, classify severity within 24 hours, and confirm reproduction within 72 hours.
03
Fix
We ship the fix, request your confirmation, and publish an incident entry on /transparency with attribution (opt-in).
04
Pay
Payout in stablecoin within 14 days of fix confirmation. Hall of fame listing at gohatch.fun/bounty when the first reports land.

Contact

Research responsibly — stay within rate limits, don't exfiltrate data, don't phish users. Good-faith researchers are immune from legal retaliation under our safe-harbor policy.

security@gohatch.fun security.txt

Bug Bounty

Find a real vulnerability, get paid. Rewards scale with severity and impact on user funds, verified attestations, or Hatcher reputation.

Program activates at mainnet (Sprint C.7). Scope below is stable; pre-mainnet reports are accepted on a best-effort basis via security@gohatch.fun.

Rewards

Critical$25,000 — $150,000
High$5,000 — $25,000
Medium$1,000 — $5,000
Low$250 — $1,000

Rewards are paid in stablecoin within 14 days of fix confirmation. Duplicate reports pay the first confirmed submitter only.

In scope

HatchAttest, HatchNest, Hatcher, HatchRegistry contracts on BNB mainnet.
Public API (`api.gohatch.fun/v1/*`) — auth, rate-limiting, SSRF, injection.
Hatch.fun web surfaces — XSS, CSRF, auth bypass, admin cookie handling.
EIP-191 enrollment signatures, admin bearer flow, API-key issuance + rotation.

Out of scope

Volumetric DoS against public endpoints — rate limits are the intended defense.
Spam, phishing, or social-engineering attacks against users.
Self-XSS or attacks requiring the victim to paste attacker-controlled scripts.
Third-party infra (Vercel, Railway, Supabase) — report upstream.

Disclosure process

01
Submit
Email security@gohatch.fun with a reproducer, impact, and affected component. PGP key is in /.well-known/security.txt.
02
Triage
We acknowledge within 4 business hours, classify severity within 24 hours, and confirm reproduction within 72 hours.
03
Fix
We ship the fix, request your confirmation, and publish an incident entry on /transparency with attribution (opt-in).
04
Pay
Payout in stablecoin within 14 days of fix confirmation. Hall of fame listing at gohatch.fun/bounty when the first reports land.

Contact

Research responsibly — stay within rate limits, don't exfiltrate data, don't phish users. Good-faith researchers are immune from legal retaliation under our safe-harbor policy.

security@gohatch.fun security.txt

Rewards

In scope

Out of scope

Disclosure process

Submit

Triage

Fix

Pay

Contact

Rewards

In scope

Out of scope

Disclosure process

Submit

Triage

Fix

Pay

Contact