# Bug Bounty and reporting of issues

Quicksilver recognizes the importance and value of security researchers’ efforts in improving community safety. We reward ***responsible disclosure*** of security vulnerabilities via our bug bounty program.

The bug bounty program covers all the code and services associated with Quicksilver.

Taking part in the Bug Bounty Program policy requires researchers to adhere the following rules:

1. Providing Quicksilver with a reasonable amount of time to fix the vulnerability prior to sharing details of the vulnerability with any other party.
2. Preserving the confidentiality and integrity of any data acquired during the security research process.
3. Not defrauding Quicksilver in the process of participating in this program.
4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Quicksilver.
5. Reporting vulnerabilities with no conditions, demands, or ransom threats.
6. Complying with and passing a KYC or KYB process

Social Engineering attacks are a violation of the rules of the program.

### Bug submission format

Bug submission reports must be done in a secure way. We use PGP encryption to communicate with our security researchers.

Before you submit a report you will need to have a PGP keypair for secure communication with Ingenuity.

You can find the [Ingenuity public key on Github](https://github.com/ingenuity-build/quicksilver/blob/develop/SECURITY.md) and instructions to generate and use your keys [here](https://web.pa.msu.edu/reference/pgpdoc1.html).

All submissions must be provided using the template below:

**Contact information**

* Email address
* PGP public key

**Issue Description**

Add a detailed description of the issue, including but not limited to, the impact on the network or end users, the software version(s) affected, current vs. expected behaviour, likelihood of exploit, alternatives or workarounds to the vulnerability, etc. &#x20;

**Affected URL/Area**

The affected URLs or area of the application where the issue exists.

**Risk Rating**

* Risk:&#x20;
* Difficulty to Exploit:&#x20;
* CVSS3 Score
* Authentication

The Quicksilver team will be reevaluating this after the submission of the report and the reproduction of the steps provided.

**Impact**

* What kind of attacker?
* Do they need authentication?
* Who else does it affect?

**Steps to reproduce/PoC**

A clear outline of the steps required to execute the payload as an attacker, this can include how to set up the payload and launch it.

* Request
* Response
* Show, Introduce, Discuss
* Screenshots

If applicable, please include a list of all the prerequisites for reproducing the vulnerability (eg: software used for debugging, special node configurations, etc).

**Affected Demographic/User Base**

* Explain who this issue affects
* Is it everyone or just a select number of users?
* How can this occur?

**Recommended Fix**

* How do you fix the issue?
* What are the recommended remediation actions required to successfully fix issue x?

**References**

Include additional reading for the client to further backup the issues explained or elaborate more on other potential issues chained to the one identified.

**KYC / KYB requirement**&#x20;

Quicksilver requires KYC / KYB to be done for all researchers submitting a report and wanting a reward above a certain dollar level.

The information required (photographic ID, utility bill) is assessed by a third party (Synaps). Researchers that are business entities will have to provide additional information (e.g., directors, owners). Please anticipate that Synaps might require documentation in English, or in certified translations to it. The collection and assessment of this information will be done by Synaps - Quicksilver will not have access to KYC / BYB info.

### Bug Bounty Program Rewards

Above a certain dollar level, payouts are contingent on successfully passing a KYC or KYB process. Payouts will be handled by the Quicksilver team directly and are denominated in USD. However, payouts are done in QCK or USDC.&#x20;

Please note that this is the first iteration of the Bug Bounty Program Rewards and that it might evolve in the future - the payout ranges below are for informational purposes only.&#x20;

**Scope**

All vulnerabilities marked in the Security Audit reports by Halborn Security and Orijtech are not eligible for rewards.

Vulnerabilities associated with chains connected to quicksilver should be reported to the specific chains’ security teams.

**Payout ranges**

**Blockchain (quicksilverd)**&#x20;

Low level: Up to USD 500&#x20;

Medium level : Up to USD 2,500&#x20;

High level : Up to USD 20,000&#x20;

Critical level : Up to USD 50,000

**Applications and websites (quicksilver webapp, icq, xcclookup, authz-pusher)**&#x20;

Low level: Up to USD 100&#x20;

Medium level : Up to USD 500

High level : Up to USD 1,000&#x20;

Critical level : Up to USD 2,500

**Other infrastructure and services**&#x20;

Low level: Up to USD 200&#x20;

Medium level : Up to USD 1,000

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.quicksilver.zone/bug-bounty-and-reporting-of-issues.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.