Bounties

Please discuss with a staff member beforehand

ROX Games is committed to maintaining the security and integrity of its platform and protecting its users' personal information. To that end, we have established a bug bounty program to encourage responsible disclosure of vulnerabilities that may be discovered on our platform. If you have found a vulnerability in our platform, we ask that you report it to us in accordance with the terms of this policy.

Eligibility:

To be eligible for a reward under this bug bounty program, you must:

Report the vulnerability to us directly, either through the in-game support system or through our dedicated security email address.
Provide a detailed report with reproducible steps. If the report is not detailed enough to reproduce the issue, it will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with explicit permission of the account holder.

Impacts in Scope:

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered in-scope, even if they affect something in the assets listed below.

Smart Contracts:
- Loss of user funds staked (principal) by freezing or theft
- Loss of governance funds
- Theft of unclaimed yield
- Freezing of unclaimed yield
- Temporary freezing of funds for X minutes/hours/days
- Unable to call smart contract
- Smart contract gas drainage
- Smart contract fails to deliver promised returns
- Vote manipulation
- Incorrect polling actions
Web/App:
- Leak of user data
- Deletion of user data
- Injection of user data
- Injection of arbitrary HTML or JavaScript
- CSRF attacks
- Cross-Site Scripting (XSS) attacks
- Cross-Site Request Forgery (CSRF) attacks
- Forced browsing
- Automated account creation
- Unauthorized access to administrator functions
- Unauthorized access to user accounts
- Unauthorized access to sensitive information
Other:
- Denial of service attacks
- Physical attacks against our infrastructure
- Spamming
- Social engineering attacks (phishing, vishing, smishing)

Exclusions:

The following types of vulnerabilities are not eligible for rewards under this bug bounty program:

Vulnerabilities Vulnerabilities must be original and previously unreported.
The following vulnerability types are within the scope of our bounty program:
Smart Contracts:
Loss of user funds staked (principal) by freezing or theft Loss of governance funds Theft of unclaimed yield Freezing of unclaimed yield Temporary freezing of funds for X minutes/hours/days Unable to call smart contract Smart contract gas drainage Smart contract fails to deliver promised returns Vote manipulation Incorrect Polling actions
Web/App:
Leak of user data Deletion or modification of user data Access to unauthorized functionality CSRF XSS (cross-site scripting) SQL injection Server-side injection Authentication and session management issues Server-side request forgery Remote code execution Insecure direct object references Security misconfigurations Insecure cryptographic storage Failure to restrict URL access Cross-site request forgery Insufficient security controls Significant security misconfigurations
Infrastructure:
Remote code execution SQL injection Server-side request forgery Server-side injection Insecure direct object references Security misconfigurations Insecure cryptographic storage
Rewards
ROX Games will pay out rewards based on the Severity Rating below. Please note that we reserve the right to pay more or less depending on the quality of the report and the severity of the issue.
Severity
Reward
Critical
Up to $50,000
High
Up to $30,000
Medium
Up to $15,000
Low
Up to $7,500
Note: These rewards are based on the severity of any smart contract issues that could lead to the loss of user funds not previously known to the ROX team, limited to one reward across all platforms. All reports should come with a proof of concept. Public disclosure of a bug will invalidate any potential rewards. Only contracts that directly handle ROX user funds are in the scope of this program.

PreviousStaking - Boost NextRisks

Last updated 2 years ago

Bounties

Please discuss with a staff member beforehand

Eligibility:

To be eligible for a reward under this bug bounty program, you must:

Report the vulnerability to us directly, either through the in-game support system or through our dedicated security email address.
Provide a detailed report with reproducible steps. If the report is not detailed enough to reproduce the issue, it will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with explicit permission of the account holder.

Impacts in Scope:

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered in-scope, even if they affect something in the assets listed below.

Smart Contracts:
- Loss of user funds staked (principal) by freezing or theft
- Loss of governance funds
- Theft of unclaimed yield
- Freezing of unclaimed yield
- Temporary freezing of funds for X minutes/hours/days
- Unable to call smart contract
- Smart contract gas drainage
- Smart contract fails to deliver promised returns
- Vote manipulation
- Incorrect polling actions
Web/App:
- Leak of user data
- Deletion of user data
- Injection of user data
- Injection of arbitrary HTML or JavaScript
- CSRF attacks
- Cross-Site Scripting (XSS) attacks
- Cross-Site Request Forgery (CSRF) attacks
- Forced browsing
- Automated account creation
- Unauthorized access to administrator functions
- Unauthorized access to user accounts
- Unauthorized access to sensitive information
Other:
- Denial of service attacks
- Physical attacks against our infrastructure
- Spamming
- Social engineering attacks (phishing, vishing, smishing)

Exclusions:

The following types of vulnerabilities are not eligible for rewards under this bug bounty program:

Vulnerabilities Vulnerabilities must be original and previously unreported.
The following vulnerability types are within the scope of our bounty program:
Smart Contracts:
Loss of user funds staked (principal) by freezing or theft Loss of governance funds Theft of unclaimed yield Freezing of unclaimed yield Temporary freezing of funds for X minutes/hours/days Unable to call smart contract Smart contract gas drainage Smart contract fails to deliver promised returns Vote manipulation Incorrect Polling actions
Web/App:
Leak of user data Deletion or modification of user data Access to unauthorized functionality CSRF XSS (cross-site scripting) SQL injection Server-side injection Authentication and session management issues Server-side request forgery Remote code execution Insecure direct object references Security misconfigurations Insecure cryptographic storage Failure to restrict URL access Cross-site request forgery Insufficient security controls Significant security misconfigurations
Infrastructure:
Remote code execution SQL injection Server-side request forgery Server-side injection Insecure direct object references Security misconfigurations Insecure cryptographic storage
Rewards
ROX Games will pay out rewards based on the Severity Rating below. Please note that we reserve the right to pay more or less depending on the quality of the report and the severity of the issue.
Severity
Reward
Critical
Up to $50,000
High
Up to $30,000
Medium
Up to $15,000
Low
Up to $7,500
Note: These rewards are based on the severity of any smart contract issues that could lead to the loss of user funds not previously known to the ROX team, limited to one reward across all platforms. All reports should come with a proof of concept. Public disclosure of a bug will invalidate any potential rewards. Only contracts that directly handle ROX user funds are in the scope of this program.

PreviousStaking - Boost NextRisks

Last updated 2 years ago