VexScan
Testnet

Bug Bounty Program

Help us secure the Vexidus network. We reward responsible disclosure of security vulnerabilities with VXS tokens. Rewards are calculated in USD equivalent and paid in VXS at the market rate at the time of payout.

Scope

In Scope

  • Vexidus node binary (consensus, P2P, state machine)
  • RPC server (vex_* and eth_* endpoints)
  • VexScan explorer (vexscan.io)
  • VexForge Studio (vexforge.xyz)
  • VexSpark Wallet (wallet.vexspark.com)
  • SDK and CLI tools
  • VSC token standards (VSC-7, VSC-21, VSC-55)
  • Staking, VexBridge, and IntentVM logic

Out of Scope

  • Third-party services (Discord, Telegram, hosting providers)
  • Social engineering or phishing attacks
  • Denial of service via brute-force traffic volume
  • Issues already reported or publicly known
  • Bugs in testnet-only bypass code (documented in codebase)
  • Cosmetic UI issues with no security impact

Severity & Rewards

Critical

Up to $25,000 equivalent in VXS
  • Consensus bypass — forge valid blocks without stake
  • Double-spend or state corruption across validators
  • Private key extraction from public data
  • Remote code execution on validator nodes

High

Up to $10,000 equivalent in VXS
  • Unauthorized fund transfers or balance manipulation
  • Denial of service causing network halt
  • Signature verification bypass
  • P2P protocol attacks causing chain splits

Medium

Up to $2,500 equivalent in VXS
  • RPC endpoint vulnerabilities (injection, auth bypass)
  • Mempool flooding or transaction censoring
  • Explorer data manipulation or XSS
  • Token standard logic errors causing incorrect balances

Low

Up to $500 equivalent in VXS
  • Information disclosure (non-sensitive)
  • UI/UX bugs affecting data accuracy
  • Documentation errors causing misconfigurations
  • Rate limiting bypass on public endpoints

VXS amounts are determined at the time of payout based on the USD-equivalent value. Testnet bounties discovered before mainnet launch will be honored at the mainnet launch price.

Rules

  • Responsible disclosure: Report to us first. Do not publicly disclose until we confirm a fix is deployed.
  • No disruption: Do not degrade the testnet experience for other users. Test on a local node when possible.
  • One report per issue: Duplicate reports receive credit only for the first submission.
  • Proof required: Include steps to reproduce, affected code paths, and potential impact.
  • Good faith: Act in good faith and avoid accessing other users' data or funds beyond what is necessary to demonstrate the vulnerability.

How to Report

Email: security@vexidus.com

Discord: #bug-bounty channel

We aim to acknowledge reports within 48 hours and provide an initial assessment within 7 days. Rewards are paid in VXS after the fix is deployed and verified.

See our Terms of Service for additional legal information.