Bug Bounty Program Terms and Conditions
Last updated June 20, 2024
PARTICIPATION IN THE BUG BOUNTY PROGRAM IS SUBJECT TO COMPLIANCE WITH THE TERMS OF USE OF DYDX TRADING INC.
These Bug Bounty Program Terms and Conditions (these “Bug Bounty Terms”) apply to, and will govern, all vulnerabilities that are discovered by you and reported to dYdX Trading Inc. (“dYdX”) in accordance with these Bug Bounty Terms (the “Bug Bounty Program”). In the event of a conflict between these Bug Bounty Terms and the Terms of Use of dYdX (the “Terms of Use”), or any other previously published dYdX program, the terms of these Bug Bounty Terms will govern to the extent of such conflict. Please read these Bug Bounty Terms carefully before you participate in the Bug Bounty Program. By participating in the Bug Bounty Program, you represent and agree to be bound by these Bug Bounty Terms. By participating in the Bug Bounty Program, you agree to the Terms of Use and the Privacy Policy (the “Privacy Policy”). If you do not agree with the Terms of Use or Privacy Policy, then you should immediately stop using or accessing the Services and participating in the Bug Bounty Program.
dYdX's decision with respect to paying or not paying a bug bounty is entirely discretionary, and shall not in any circumstance be construed as an admission or concession of fault or liability by dYdX, nor shall it be construed as an endorsement by dYdX of the accuracy of a description of an alleged vulnerability, alleged root causes of it, or any other information asserted by you or other third parties.
1. ELIGIBILITY
Subject to these Bug Bounty Terms, to be eligible to participate in the Bug Bounty Program, during the period of your participation, you must:
be of legal age in the jurisdiction in which you reside and you must have the legal capacity to enter into, and be bound by, these Bug Bounty Terms if you are participating in the Bug Bounty Program as an individual;
have the legal authority to accept these Bug Bounty Terms on the applicable entity’s behalf, in which case “you” (except as used in this paragraph) will mean the foregoing entity if you are participating in the Bug Bounty Program as an entity;
be the first person to report or disclose the vulnerability to dYdX in accordance with these Bug Bounty Terms, including by emailing sufficient information to bugbounty@dydx.exchange;
provide sufficient information to enable dYdX to reproduce and fix the applicable vulnerability;
not engage in any unlawful conduct when discovering, reporting or disclosing the vulnerability to dYdX, including the use of threats, demands or any other coercive tactics;
not have exploited or attempted to exploit the vulnerability in any way, including by making such vulnerability public or by obtaining a profit or other benefit (other than a payment under the Bug Bounty Program);
make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any Services or Site (as defined in the Terms of Use), including using automated testing that generates significant amounts of traffic;
submit only one (1) vulnerability per report or disclosure, unless you need to combine vulnerabilities to provide sufficient information with respect to any of the applicable vulnerabilities;
not submit a vulnerability caused by the same underlying issue on which a payment has been provided under the Bug Bounty Program;
not ask for payment in exchange for vulnerability details or dispute the applicability of the Bug Bounty Program to you, including the amount of any proposed or actual payment or categorization of a vulnerability; and
not be a current or former employee (within 6 months), vendor, contractor, or agent for dYdX, or a current or former employee (within 6 months) of any of the foregoing.
dYdX reserves the right to limit or refuse your eligibility to participate in the Bug Bounty Program for any reason in its sole discretion, including but not limited to where your participation is prohibited by any Applicable Law. If dYdX becomes aware of any violation of these Bug Bounty Terms or the Terms of Use, dYdX may elect to, among other things, (a) prohibit you from using the Services or the Site; (b) withhold, amend or cancel the benefits of or payments under the Bug Bounty Program; or (c) require return of any payment made to you, including taking any action at law to obtain such payment.
2. SCOPE OF VULNERABILITIES
The following non-exhaustive types of vulnerabilities are excluded from any payments with respect to the Bug Bounty Program:
vulnerabilities previously known to dYdX;
vulnerabilities with respect to sites hosted by third parties unless such vulnerabilities lead to a vulnerability on the Site;
vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack or other similar types of exploitation;
vulnerabilities affecting outdated or unpatched browsers;
vulnerabilities in third party applications that use dYdX API;
vulnerabilities publicly disclosed in third-party libraries or technology used in the Services or the Site;
vulnerabilities that require an improbable level of user interaction;
vulnerabilities that require rooting or jailbreaking a mobile device;
missing security headers without proof of exploitability;
suggestions on best practices;
software version disclosure;
front end bugs;
unsophisticated or generic DDOS attacks;
spamming;
phishing;
automated tools (github actions, aws); and
compromise or misuse of third party systems or services.
dYdX reserves the right to determine whether a vulnerability is eligible for a payment under the Bug Bounty Program in its sole discretion.
3. DISCLOSURE AND REPORTING REQUIREMENTS
Any vulnerability discovered must be only reported to the following email: bugbounty@dydx.exchange, and must comply with all other requirements in this Bug Bounty Program.
The vulnerability must not have been or be disclosed publicly or to any other persons before dYdX has been notified, has fixed the issue, and has granted permission, if at all, for such disclosure. The disclosure to dYdX must be made within twenty-four (24) hours following discovery of the applicable vulnerability. If similar vulnerabilities are reported within the applicable twenty-four (24)-hour period any payment may be split by dYdX between such reporters, or may be paid to the first person to make such report, and in either case shall be determined in the sole discretion of dYdX.
A detailed report of a vulnerability increases the likelihood of a payment and may increase the amount of such payment. Please provide as much information about the vulnerability as possible, including:
the conditions on which reproducing the vulnerability is contingent;
the steps needed to reproduce the vulnerability or, preferably, a proof of concept; and
the potential implications of abusing the vulnerability.
4. PAYMENTS
Subject to these Bug Bounty Terms, you will receive payments based on the type of vulnerability reported or disclosed in accordance with Exhibit A. The categorization and amount of any payment will be determined at the sole discretion of dYdX, including without limitation eligibility for such payment, and the severity of any applicable vulnerability.
5. BUG BOUNTY PROGRAM ADMINISTRATION
dYdX reserves the right to administer the Bug Bounty Program in its sole discretion:
dYdX hereby reserves the right to amend, suspend or terminate the Bug Bounty Program at any time with or without prior notice or consent. dYdX further reserves the right to amend, withhold or cancel any Bug Bounty Program payments or benefits granted if dYdX becomes aware of any violation of these Bug Bounty Terms or the Terms of Use.
Administration of the Bug Bounty Program is at the sole discretion of dYdX, subject to the Applicable Law(as defined in the Terms of Use). Any questions relating to eligibility, or these Bug Bounty Terms or the Bug Bounty Program will be resolved by dYdX at dYdX’s sole discretion and its decision will be final and binding with respect thereto. If it is discovered by dYdX that you have or have attempted to violate these Bug Bounty Terms or the Terms of Use, then dYdX may disqualify you from any Bug Bounty Program payments or benefits in its sole discretion.
dYdX reserves the right to make awards that do not comply with every requirement herein, such as your failure to provide a detailed report of any vulnerability, or your failure to notify dYdX through the correct channel. Awards made pursuant to such exceptions made by dYdX do not constitute any waiver by dYdX of any other terms and conditions set forth herein.
6. PRIVACY
By participating in the Bug Bounty Program, you acknowledge and agree that any personal information that you provide will be maintained in accordance with the Privacy Policy. By participating in the Bug Bounty Program, you hereby (a) grant to dYdX the right to use your name, country of residence, email address and any other information you provide to dYdX (“Personal Information”) for the purpose of administering the Bug Bounty Program; (b) grant to dYdX the right to use your Personal Information for publicity, promotional, marketing and advertising purposes relating to the Bug Bounty Program, in any and all media now known or hereafter devised, without further compensation unless prohibited by Applicable Law; and (c) acknowledge that dYdX may disclose your Personal Information to its third-party agents and service providers in connection with any of the foregoing activities. dYdX will use your Personal Information only for the identified purposes and as contemplated in the Privacy Policy. Any conflict between the Privacy Policy and any authorization and/or licensing provided herein shall be governed by these Bug Bounty Terms.
If you access any personal information or other sensitive information for which you do not have authority to access, then you must immediately stop accessing such information and destroy all copies thereof. You must not provide such information to dYdX and must only provide dYdX a description thereof.
7. RELEASE AND PUBLICITY
YOU AGREE TO RELEASE AND HOLD HARMLESS DYDX AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS FROM AND AGAINST ANY CLAIM OR CAUSE OF ACTION ARISING OUT OF YOUR PARTICIPATION IN THE BUG BOUNTY PROGRAM AND/OR ANY DETERMINATION MADE ABOUT YOUR ELIGIBILITY IN THE BUG BOUNTY PROGRAM OR ANY PAYMENT THEREUNDER THAT MAY OR MAY NOT BE DUE TO YOU. YOU AGREE THAT DYDX AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS ARE NOT LIABLE FOR INJURIES, LOSSES OR DAMAGES OF ANY KIND ARISING FROM YOUR PARTICIPATION IN THE BUG BOUNTY PROGRAM AND ACCEPTANCE, POSSESSION AND USE OF THE BENEFITS OR PAYMENTS RECEIVED UNDER THE BUG BOUNTY PROGRAM. DYDX IS NOT RESPONSIBLE FOR ANY TYPOGRAPHICAL OR OTHER ERROR IN THE PUBLICATION OF THESE BUG BOUNTY TERMS OR ADMINISTRATION OF THE BUG BOUNTY PROGRAM OR ANNOUNCEMENT THEREOF.
8. TAXES
You will be solely responsible for all income tax liabilities that arise from or in any way relate to any benefit or payment that dYdX conveys to you, including income taxes, sales, personal property, use, VAT, excise, withholding and self-employment taxes. dYdX has the right to withhold from any amounts payable to you such foreign, federal, state or local taxes as may be required to be withheld under any Applicable Law. You agree to report the value of the benefit or payment you receive from dYdX to all applicable legal and local authorities, and complete any required tax forms that dYdX requests be completed prior to receiving your benefit or payment.
9. GENERAL
Sections 11 through 17 of the Terms of Use are incorporated herein by reference, and you are equally subject to those provisions mutatis mutandis with respect to these Bug Bounty Terms and the Bug Bounty Program. Unless the context expressly otherwise requires, (a) wherever the word “include,” “includes” or “including” is used, it will be deemed to be followed by the words “without limitation”; and (b) the word “or” is not exclusive. dYdX may, without or without notice, revise these Bug Bounty Terms, including any benefits or payments, and publish amended versions thereof from time to time. Your participation or continued participation in the Bug Bounty Program constitute your acceptance of any amendments to these Bug Bounty Terms. dYdX may, in its sole discretion, amend or terminate the Bug Bounty Program at any time with or without notice, and your continued use of the dYdX platform or participation in the Bug Bounty Program after such amendment shall constitute acceptance of all amended terms.
EXHIBIT A
BUG BOUNTY PAYMENTS
Type of Vulnerability | Payment Range (USD Coin (USDC)) |
Very Low Severity, Ineligible Reports, etc. | To be determined in dYdX’s sole discretion. |
Low Severity | 50 – 5,000 |
Medium Severity | 5,000 – 50,000 |
High Severity | 50,000 – 150,000 |
Critical Severity | 150,000 – 1,000,000 |