Unit 410: Vulnerability Rewards Program

Unit 410

Vulnerability Rewards Program
No technology is perfect, and Unit 410 believes that working with skilled security researchers is crucial in identifying weaknesses in technology. If you believe you've found a security issue that affects staking nodes that we're running, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Notification Policy

Let us know as soon as possible upon discovery of a potential security issue, and, if there is any issue, we'll work t to resolve it quickly.

Allow a reasonable amount of time for us to resolve an issue before disclosing to the public or a third-party.

Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
All submissions of such disclosure notifications are subject to additional terms and conditions.

Tiers

Our reward tiers are as follows. Classification and qualification for any reward is up to Unit 410’s exclusive judgment and discretion, and payment, if any, would be subject to additional terms and conditions and our ability to pay. We will make a reasonable effort to resolve submissions in a manner that is mutually beneficial.

Tier	Minimum Reward	Description
Critical	shared on request	Exploits, system access or issues in key management, production crypto systems or contracts designed and managed by unit 410 that could lead to the loss of > $1m of value.
High	shared on request	Direct access to other unit 410 managed production systems or data that could lead to the loss of > $100k of funds. This excludes vulnerabilities introduced through network or protocol wide issues.
Medium	shared on request	Other issues with Unit 410 production systems, services or dependencies that could be used to disrupt operations or impact > $10k of value. Non-public vulnerabilities in underlying crypto protocols that can be mitigated.
Low	shared on request	Security (mis)configuration.
Info	none	Best practices and other non-critical recommendations.

Exclusions
To be considered for a reward, we'd ask you to refrain from:

Denial of service

Spamming

Submitting email issues (SPF, DKIM, etc) on subdomains

Social engineering (including phishing) of Unit 410 staff or contractors

Any physical attempts against Unit 410

Unit 410

Tiers

Exclusions To be considered for a reward, we'd ask you to refrain from: Denial of service Spamming Submitting email issues (SPF, DKIM, etc) on subdomains Social engineering (including phishing) of Unit 410 staff or contractors Any physical attempts against Unit 410

Contact

Exclusions
To be considered for a reward, we'd ask you to refrain from:

Denial of service

Spamming

Submitting email issues (SPF, DKIM, etc) on subdomains

Social engineering (including phishing) of Unit 410 staff or contractors

Any physical attempts against Unit 410