Bug Bounty

Universe's foremost priority will ALWAYS be the security of our platform.

We have implemented a number of stringent security measures to protect our users:

  • Multiple Security Layers: Whitelist KYC mechanism, EOA Mechanism, etc.

  • Enterprise Level Security: Private Vault Authoritative security audits: Certik,

  • Peckshield, etc. This has allowed Universe to operate safely since it went online.

We have also launched our bug bounty program to improve on our security and increase surveillance of our codes. Should you find any security vulnerability while using the product, please do let us know and we will evaluate the severity of the contract vulnerability and reward you with a very generous bounty based on the evaluation results.

Scope

The scope of the Program will initially be limited to high severity bugs in Universe’s core contracts. Any bug found that would result in draining reserve funds is considered in scope.

The following are not within the scope of the Program:

  • Bugs in any third party contract or platform that interacts with Universe;

  • Vulnerabilities already reported and/or discovered in contracts built by third parties on Universe;

  • Any already-reported bugs;

  • Bugs caused by the following activities:Front end bugs,DDOS attacks, Spamming, Phishing, Automated tools,Compromise or misuse of third party systems or services.

Rewards

The severity of those bugs will be calculated using the Common Vulnerability Scoring System (CVSS):

Critical(9.0-10.0)

$50,000 - $100,000 UNT

High (7.0-8.9)

Up to $15,000 UNT

Medium(4.0-6.9)

Up to $3,000 UNT

In addition to severity, rewards will also be weighed against the impact of bugs found and the difficulty level of finding them.

Disclosure

Any vulnerability or bug discovered must be reported only to the following email: team@universe.finance.

The vulnerability must not be disclosed publicly or to any other person, entity or email address before Universe has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.

A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:

  • The conditions on which reproducing the bug is contingent.

  • The steps needed to reproduce the bug or, preferably, a proof of concept.

  • The potential implications of the vulnerability being abused.

Once we receive your report, we promise to do the following: ‌

  • Respond to your report within 5 business days.

  • Handle your report with strict confidentiality.

  • Provide you updates regarding the progress of your submission status and the resolution of the reported issue.

  • Give you credit by naming you as the successful bounty hunter of the issue, unless you desire otherwise.

  • Offer you the proper reward as per the prior rules to thank you for helping us make Universe as secure as possible!

Eligibility

To be eligible for a reward under this Program, you must:

  • Discover a previously unreported, non-public vulnerability that would result in a loss of and/or lock on any assets on Universe (but not on any third party platform interacting with Universe) and that is within the scope of this Program.

  • Be the first to disclose the unique vulnerability to team@universe.finance, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24 hour period, rewards will be split at the discretion of Universe.

  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.

  • Not engage in any unlawful conduct when disclosing the bug to team@universe.finance, including through threats, demands, or any other coercive tactics.

  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).

  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of Universe.

  • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.

  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.

  • Comply with all the eligibility requirements of the Program.

Last updated