Bug bounty program

Flexa takes the security of our systems, software, and internal processes very seriously, and we appreciate the support of hackers acting in good faith to help us maintain the highest standard of security for our payments platform and collateralization contracts. While Flexa's network infrastructure has been rigorously audited by respected third party security researchers, the technology it relies on is new and may contain as-yet undiscovered vulnerabilities.

As such, we encourage the broader community to help review the security of our systems and software, and we have created this bug bounty program to facilitate the responsible disclosure of any vulnerabilities discovered. Below, we outline the process for participating in this program, including the scope of submissions we will consider, how we will reward successful vulnerability disclosures, and the process for submitting a new disclosure.

If you have any questions about the program below, please don’t hesitate to contact us at [email protected].

Rewards

Flexa offers substantial rewards for discoveries that can prevent the loss of assets, the freezing of assets, or harm to a user, commensurate with the severity and exploitability of the vulnerability. For eligible discoveries, Flexa will pay a reward of $500 to $150,000 according to the terms below.

Scope

The primary scope of this bug bounty program is for vulnerabilities affecting the on-chain Flexa collateral management smart contract on the Ethereum Mainnet:

  • 0x706D7F8B3445D8Dfc790C524E3990ef014e7C578

The following contracts are no longer considered within the scope of this bug bounty program:

  • 0x12f208476F64De6e6f933E55069Ba9596D818e08

  • 0x455a3B78Cfe4B88268DBee2119eB06fB1d3F1f61

  • 0x4a57E687b9126435a9B19E4A802113e266AdeBde

  • 0xfF20817765cB7f73d4bde2e66e067E58D11095C2

These list may change as new contracts are deployed, or as existing contracts are removed from usage. Vulnerabilities in contracts built on top of the Flexa platform by third-party developers (such as smart contract wallets) are not in-scope, nor are vulnerabilities that require ownership of an admin key.

The secondary scope of the bug bounty program is for vulnerabilities affecting the Flexa platform backend services or the Flexa Capacity dApp hosted at app.flexa.network that could conceivably result in exploitation of user accounts.

Finally, any test contracts (on Sepolia and other testnets) or staging servers not listed above are out of scope, unless the discovered vulnerability also affects the Flexa platform or Capacity dApp, or could otherwise be exploited in a way that risks loss of user funds.

Disclosure

To disclose a vulnerability, send an email to [email protected] with clear and concise steps to reproduce the discovered vulnerability in either written or video format. Upon your disclosure, Flexa will follow up promptly to acknowledge receipt.

Terms

To be eligible for bug bounty reward consideration, you must:

  • Identify an original, previously unreported, non-public vulnerability within the scope of the Flexa bug bounty program as described above;

  • Include sufficient detail in your disclosure to enable our engineers to quickly reproduce, understand, and fix the vulnerability;

  • Be of legal age in your jurisdiction (or have your parent or legal guardian available to sign any bug bounty program reward agreements on your behalf);

  • Be reporting in an individual capacity, or permitted by your organization to participate in this bug bounty program;

  • Not be subject to US sanctions or reside in a country embargoes by the US Office of Foreign Assets Control; and

  • Not be employed by or a consultant for Flexa or be an immediate family member of an employee or consultant for Flexa.

To encourage productive research and to avoid any confusion between good-faith hacking and malicious attacks, we require that you:

  • Promptly report any vulnerability you discover;

  • Test only using accounts owned by you or your team, and do not interact with other accounts without their express consent;

  • Avoid disrupting our systems, destroying data, or harming the overall user experience for users not associated with your research;

  • Use only [email protected] to discuss vulnerabilities with us;

  • Keep the details of any discovered vulnerabilities confidential until they are fixed;

  • Perform your testing on in-scope systems only, and respect any systems and activities that are out-of-scope;

  • Follow the terms of this program and any other relevant agreements you have with Flexa; and

  • Do not engage in blackmail, extortion, or any other unlawful conduct.

When working with us according to this program, you can expect us to:

  • Pay generously for eligible discoveries based on the severity and exploitability of the discovery, at Flexa’s sole discretion;

  • Extend Safe Harbor for your vulnerability research related to this program (i.e., we will not threaten or bring legal action against anyone who makes a good faith effort to comply with our bug bounty program);

  • Work with you to understand and validate your reports, beginning with a timely initial response to your disclosure;

  • Work to remediate discovered and recognized vulnerabilities in a timely manner; and

  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability and your report triggers a code or configuration change.

All reward determinations, including the eligibility of a disclosure and the payment of any amount of money as the result of a successful vulnerability identification, shall be made at the sole and exclusive discretion of Flexa, which reserves the right to reject submissions and modify or update the controlling terms of this program as it deems appropriate.