Bug Bounty Guidelines
Purpose
Section titled “Purpose”Magi is committed to building secure, resilient infrastructure. We welcome and encourage responsible security research and disclosure from the community.
These Bug Bounty Guidelines define how security vulnerabilities should be reported, how researchers should act, and how Magi will engage with good faith contributors.
The bug bounty program applies to:
- Magi protocol smart contracts
- Core protocol infrastructure and services
- Magi repositories and codebases
- Public facing APIs, tooling, and integrations operated by Magi
Out of scope (unless explicitly stated otherwise):
- Social engineering, phishing, or physical attacks
- Issues in third‐party services or dependencies not controlled by Magi
- Findings that rely on unrealistic assumptions or non-standard environments
Responsible Discourse Expectations
Section titled “Responsible Discourse Expectations”We ask all security researchers to act in good faith.
Researchers must:
- Report vulnerabilities privately and promptly
- Provide sufficient detail to reproduce and verify the issue
- Allow Magi a reasonable period, not to exceed ninety (90) days, to investigate and remediate prior to any public disclosure
- Avoid exploiting vulnerabilities
Researchers must not:
- Publicly disclose vulnerabilities before Magi approval
- Exploit vulnerabilities for financial gain, data extraction, or disruption
- Share details of vulnerabilities with third parties prior to remediation
Reporting Process
Section titled “Reporting Process”All vulnerability reports should include:
- A clear description of the vulnerability
- Affected components
- Steps to reproduce or proof of concept
- Potential impact and severity assessment
- Any suggested mitigation (if known)
Reports should be submitted via private messages on Discord/X and email to:
- @vaultec
- @lordbutterfly
- email: security@magi.eco
Safe Harbor
Section titled “Safe Harbor”Magi considers security research conducted in accordance with these Guidelines to be authorized.
We will not pursue legal action against researchers who:
- Act in good faith
- Follow responsible disclosure practices
- Do not exploit vulnerabilities maliciously
This safe harbor applies only to activities within the scope of this program.
Bounty Eligibility & Rewards
Section titled “Bounty Eligibility & Rewards”Bounties may be awarded at Magi’s discretion based on:
- Severity and impact of the vulnerability
- Quality and clarity of the report
- Demonstrated understanding and professionalism
- Whether the issue was previously known or reported
Rewards may include:
- Monetary rewards (crypto)
- Public acknowledgment (with researcher consent)
The existence of this program does not guarantee payment for all reports.
Confidentiality
Section titled “Confidentiality”Until a vulnerability is resolved and disclosure is approved:
- All details of the report are considered confidential
- Researchers agree not to disclose information publicly or privately
This protects users, the protocol, and the researcher.
Changes & Program Discretion
Section titled “Changes & Program Discretion”Magi reserves the right to modify, suspend, or terminate this bug bounty program at any time.
Participation in the program does not create any contractual obligation or employment relationship.