autobahn/SECURITY.md

# Important Notice
Please **DO NOT** create a GitHub issue to report a security problem. Instead, please send an email to security@mango.markets with a detailed description of the attack vector and security risk you have identified.

# Bug Bounty Overview
Mango Markets offers bug bounties for Mango Markets' on-chain program code; UI only bugs are omitted.

|Severity|Description|Bug Bounty|
|-----------|--------------|-------------|
|Critical|Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures|10% of the value of the hack up to $1,000,000|
|High|Bugs that could temporarily freeze user funds or incorrectly assign value to user funds|$10,000 to $50,000 per bug, assessed on a case by case basis|
|Medium/Low|Bugs that don't threaten user funds|$1,000 to $5,000 per bug, assessed on a case by case basis|

The severity guidelines are based on [Immunefi's classification system](https://immunefi.com/severity-updated/). 
Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.

## Submission
Please email security@mango.markets with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach out in 1 business day with additional questions or next steps on the bug bounty.

## Bug Bounty Payment
Bug bounties will be paid in USDC or locked MNGO, after a DAO vote. The Mango DAO has never refused a valid bug bounty so far.

## Invalid Bug Bounties
The following are out of scope for the bug bounty:
1. Attacks that the reporter has already exploited themselves, leading to damage.
2. Attacks requiring access to leaked keys/credentials.
3. Attacks requiring access to privileged addresses (governance, admin).
4. Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks).
5. Lack of liquidity.
6. Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts).
7. Best practice critiques.
8. Sybil attacks.
Release executor 1.0.0 (#11) * add security txt and policy * set version number for autobahn executor * add github workflow 2024-10-04 05:30:10 -07:00			`# Important Notice`
			`Please DO NOT create a GitHub issue to report a security problem. Instead, please send an email to security@mango.markets with a detailed description of the attack vector and security risk you have identified.`

			`# Bug Bounty Overview`
			`Mango Markets offers bug bounties for Mango Markets' on-chain program code; UI only bugs are omitted.`

			`\|Severity\|Description\|Bug Bounty\|`
			`\|-----------\|--------------\|-------------\|`
			`\|Critical\|Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures\|10% of the value of the hack up to $1,000,000\|`
			`\|High\|Bugs that could temporarily freeze user funds or incorrectly assign value to user funds\|$10,000 to $50,000 per bug, assessed on a case by case basis\|`
			`\|Medium/Low\|Bugs that don't threaten user funds\|$1,000 to $5,000 per bug, assessed on a case by case basis\|`

			`The severity guidelines are based on [Immunefi's classification system](https://immunefi.com/severity-updated/).`
			`Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.`

			`## Submission`
			`Please email security@mango.markets with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach out in 1 business day with additional questions or next steps on the bug bounty.`

			`## Bug Bounty Payment`
			`Bug bounties will be paid in USDC or locked MNGO, after a DAO vote. The Mango DAO has never refused a valid bug bounty so far.`

			`## Invalid Bug Bounties`
			`The following are out of scope for the bug bounty:`
			`1. Attacks that the reporter has already exploited themselves, leading to damage.`
			`2. Attacks requiring access to leaked keys/credentials.`
			`3. Attacks requiring access to privileged addresses (governance, admin).`
			`4. Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks).`
			`5. Lack of liquidity.`
			`6. Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts).`
			`7. Best practice critiques.`
			`8. Sybil attacks.`