Bug Bounty Program Terms and Conditions
Last updated September 14, 2023
Subject to these Bug Bounty Terms, to be eligible to participate in the Bug Bounty Program, during the period of your participation, you must:
be of legal age in the jurisdiction in which you reside and you must have the legal capacity to enter into, and be bound by, these Bug Bounty Terms if you are participating in the Bug Bounty Program as an individual;
have the legal authority to accept these Bug Bounty Terms on the applicable entity’s behalf, in which case “you” (except as used in this paragraph) will mean the foregoing entity if you are participating in the Bug Bounty Program as an entity;
be the first person to report or disclose the vulnerability to dYdX in accordance with these Bug Bounty Terms, including by emailing sufficient information to email@example.com;
provide sufficient information to enable dYdX to reproduce and fix the applicable vulnerability;
not engage in any unlawful conduct when discovering, reporting or disclosing the vulnerability to dYdX, including the use of threats, demands or any other coercive tactics;
not have exploited or attempted to exploit the vulnerability in any way, including by making such vulnerability public or by obtaining a profit or other benefit (other than a payment under the Bug Bounty Program);
submit only one (1) vulnerability per report or disclosure, unless you need to combine vulnerabilities to provide sufficient information with respect to any of the applicable vulnerabilities;
not submit a vulnerability caused by the same underlying issue on which a payment has been provided under the Bug Bounty Program;
not ask for payment in exchange for vulnerability details or dispute the applicability of the Bug Bounty Program to you, including the amount of any proposed or actual payment or categorization of a vulnerability; and
not be a current or former employee (within 6 months), vendor, contractor, or agent for dYdX, or a current or former employee (within 6 months) of any of the foregoing.
2. SCOPE OF VULNERABILITIES
The following non-exhaustive types of vulnerabilities are excluded from any payments with respect to the Bug Bounty Program:
vulnerabilities previously known to dYdX;
vulnerabilities with respect to sites hosted by third parties unless such vulnerabilities lead to a vulnerability on the Site;
vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack or other similar types of exploitation;
vulnerabilities affecting outdated or unpatched browsers;
vulnerabilities in third party applications that use dYdX API;
vulnerabilities publicly disclosed in third-party libraries or technology used in the Services or the Site;
vulnerabilities that require an improbable level of user interaction;
vulnerabilities that require rooting or jailbreaking a mobile device;
missing security headers without proof of exploitability;
suggestions on best practices;
software version disclosure;
front end bugs;
unsophisticated or generic DDOS attacks;
automated tools (github actions, aws); and
compromise or misuse of third party systems or services.
dYdX reserves the right to determine whether a vulnerability is eligible for a payment under the Bug Bounty Program in its sole discretion.
3. DISCLOSURE AND REPORTING REQUIREMENTS
Any vulnerability discovered must be only reported to the following email: firstname.lastname@example.org, and must comply with all other requirements in this Bug Bounty Program.
The vulnerability must not have been or be disclosed publicly or to any other persons before dYdX has been notified, has fixed the issue, and has granted permission, if at all, for such disclosure. The disclosure to dYdX must be made within twenty-four (24) hours following discovery of the applicable vulnerability. If similar vulnerabilities are reported within the applicable twenty-four (24)-hour period any payment may be split by dYdX between such reporters, or may be paid to the first person to make such report, and in either case shall be determined in the sole discretion of dYdX.
A detailed report of a vulnerability increases the likelihood of a payment and may increase the amount of such payment. Please provide as much information about the vulnerability as possible, including:
the conditions on which reproducing the vulnerability is contingent;
the steps needed to reproduce the vulnerability or, preferably, a proof of concept; and
the potential implications of abusing the vulnerability.
Subject to these Bug Bounty Terms, you will receive payments based on the type of vulnerability reported or disclosed in accordance with Exhibit A. The categorization and amount of any payment will be determined at the sole discretion of dYdX, including without limitation eligibility for such payment, and the severity of any applicable vulnerability.
5. BUG BOUNTY PROGRAM ADMINISTRATION
dYdX reserves the right to administer the Bug Bounty Program in its sole discretion:
dYdX reserves the right to make awards that do not comply with every requirement herein, such as your failure to provide a detailed report of any vulnerability, or your failure to notify dYdX through the correct channel. Awards made pursuant to such exceptions made by dYdX do not constitute any waiver by dYdX of any other terms and conditions set forth herein.
If you access any personal information or other sensitive information for which you do not have authority to access, then you must immediately stop accessing such information and destroy all copies thereof. You must not provide such information to dYdX and must only provide dYdX a description thereof.
7. RELEASE AND PUBLICITY
YOU AGREE TO RELEASE AND HOLD HARMLESS DYDX AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS FROM AND AGAINST ANY CLAIM OR CAUSE OF ACTION ARISING OUT OF YOUR PARTICIPATION IN THE BUG BOUNTY PROGRAM AND/OR ANY DETERMINATION MADE ABOUT YOUR ELIGIBILITY IN THE BUG BOUNTY PROGRAM OR ANY PAYMENT THEREUNDER THAT MAY OR MAY NOT BE DUE TO YOU. YOU AGREE THAT DYDX AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS ARE NOT LIABLE FOR INJURIES, LOSSES OR DAMAGES OF ANY KIND ARISING FROM YOUR PARTICIPATION IN THE BUG BOUNTY PROGRAM AND ACCEPTANCE, POSSESSION AND USE OF THE BENEFITS OR PAYMENTS RECEIVED UNDER THE BUG BOUNTY PROGRAM. DYDX IS NOT RESPONSIBLE FOR ANY TYPOGRAPHICAL OR OTHER ERROR IN THE PUBLICATION OF THESE BUG BOUNTY TERMS OR ADMINISTRATION OF THE BUG BOUNTY PROGRAM OR ANNOUNCEMENT THEREOF.
You will be solely responsible for all income tax liabilities that arise from or in any way relate to any benefit or payment that dYdX conveys to you, including income taxes, sales, personal property, use, VAT, excise, withholding and self-employment taxes. dYdX has the right to withhold from any amounts payable to you such foreign, federal, state or local taxes as may be required to be withheld under any Applicable Law. You agree to report the value of the benefit or payment you receive from dYdX to all applicable legal and local authorities, and complete any required tax forms that dYdX requests be completed prior to receiving your benefit or payment.
BUG BOUNTY PAYMENTS
Type of Vulnerability
Payment Range (USD Coin (USDC))
Very Low Severity, Ineligible Reports, etc.
To be determined in dYdX’s sole discretion.
50 – 5,000
5,000 – 50,000
50,000 – 150,000
150,000 – 1,000,000