Table of Contents

Overview

Golden recently opened up our dApp to our customers to help facilitate improvements, analyze malicious behaviors, and ensure an easy-to-use solution for our customer experience. In an attempt to bring stronger transparency to our customers, we are opening up a security Bug Bounty to our web2, web3, and protocol. We will have increased payouts for validated findings until December 1, 2022.

Scope and Reporting

This is a black box test against our production environment. In order to have your vulnerability verified, you will need to send the report to security@golden.co. Please make sure the subject is clear that this is a bug bounty request (e.g., Bug Bounty: XSS found in site). All findings MUST include:

• Repeatable, programmatic ways for the internal team to replicate and validate
• Vulnerability title, summary, and walkthrough
• All reports in English

In Scope

• dapp.golden.xyz
• golden.com
• Godel SDK

Ensure that you adhere to Amazon’s Penetration Testing Policy.

Not in Scope

• Denial of Service (DoS/DDoS) style of attacks. If you believe you may have a DoS-related vulnerability then email security@golden.co and we will work with internal testing or give you a specific time frame to test.
• Social Engineering style of attacks. This includes anything that would require another user to be coerced into navigating to or interacting with an “attack”. Examples include:
• Brute force style attacks. This primarily focuses on gaining access to user’s accounts.
• Accessing another user’s data by any means. If you need to test an exploit that will interact with another user then set up a second user account for testing or reach out to security@golden.co if you need specific testing requirements.

Payouts