Effective As Of: May 20th, 2021

SuperRare believes in strengthening relationships with security researchers and encouraging a community-led, decentralized approach to our platform's security. We encourage people who discover potential security vulnerabilities to participate in our Bug Bounty Program by promptly disclosing potential vulnerabilities to us in exchange for a possible award.

<aside> ⚠️ Please review these Bug Bounty Program Terms before submitting a report. By submitting your report, you expressly agree to the terms of this Bug Bounty Program, which SuperRare may modify and implement in its sole discretion. We may ignore any received reports that do not strictly comply with the requirements of these terms at our sole discretion. There is no guarantee that you will receive a response within any particular period of time.

</aside>

📧 Reporting a Vulnerability

If you have information about a security issue or vulnerability with the SuperRare website or public smart contracts and wish to participate in our Bug Bounty Program, please send an encrypted e-mail report to **[email protected].** Eligible reports must provide as much information as possible and must strictly comply with the requirements below.

Eligible Reports 👍🏽

To be eligible for bounty award consideration, your report must meet the following basic requirements:

1. The Report must relate to the SuperRare Protocol smart contracts or SuperRare.com (excluding wordpress, discourse, or other third-party dependent bugs)

2. The Report and any accompanying material or information sent to SuperRare must be encrypted with the SuperRare public key You must send a public pgp key to SuperRare in your Report in order to receive a response. Click here for instructions on how to send us with our encryption key.

   Encryption Information for Bug Bounty Submissions

3. The vulnerability you identify must be original, not previously known to SuperRare, not previously reported to SuperRare, and not otherwise publicly disclosed.

4. The Report must show that the potential vulnerability has been demonstrated against the most recent publicly available version of the affected technology.

5. The Report must contain a detailed explanation of the reported vulnerability, how it can be exploited, the impact of the vulnerability being successfully exploited and likelihood of a successful exploit.

6. The Report must contain a Proof of Concept (POC): code or instructions that clearly demonstrate the vulnerability and allows SuperRare to reproduce the exploit, including any necessary tooling, version identifiers, operating system(s)/version(s), or other information as is required to setup an environment and reproduce the issue.

7. For vulnerabilities involving personally identifiable information (PII), please explain the type of PII you believe is exposed and limit the amount of PII data included in your submissions.

8. The email address you submit reports with and that we respond to must match the email identity associated with your pgp key

Ineligible Reports 👎🏽

The following are general categories of vulnerabilities that are considered ineligible for a bounty award:

• Vulnerabilities already known to SuperRare. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be eligible for a bounty award
• Any conduct by a security researcher or reporter that appears to be unlawful, malicious, harassing, in bad faith, extortive, or criminal in nature will immediately disqualify any submission from the program.
• Reports that are not encrypted with the SuperRare public key or that otherwise fail to comply with these Terms.