In scope

On mainnet, any bug that could trigger an outage, data corruption, or logical errors affecting validator nodes, the matching engine, risk services, or public/private API endpoints is in scope.

On testnet, testnet-only components of the 1024EX execution layer and their interaction with core services (e.g., order book, risk engine, funding, and settlement logic) are also in scope. For features not yet live on mainnet, rewards for execution-layer issues may differ from comparable mainnet severities and will follow the latest 1024EX bounty policy.

Other experimental or gated features on testnet are out of scope unless explicitly announced; nonetheless, high-quality reports are appreciated.

Submission process

Prepare a report with clear reproduction steps, expected vs. actual behavior, affected components, logs/tx hashes where applicable, and a proof of concept. Submit to [email protected] (single point of contact; do not use third-party sites).

If multiple parties report the same issue, the first complete, reproducible submission is eligible.

Rewards are paid for responsible disclosure based on severity and impact, typically in USDC via a 1024EX-supported settlement method (subject to KYC/KYB and the latest payout policy).

1024EX will not pursue legal action for research conducted in good faith and within this program’s rules. We value and respect the time invested in every report.

Prohibited activity

Live-fire testing on mainnet that risks user funds or market integrity; use testnet or approved local forks.

Phishing, social engineering, or physical attacks.

Sustained, large-scale DDoS; limited tests demonstrating mishandling of short-term spikes are acceptable.

Testing that relies on third-party systems (e.g., extensions, SSO providers, ad networks) unless it leads to a direct 1024EX vulnerability.

Ransom demands, threats, or any extortion.

Public disclosure before remediation and bounty payment.

Sharing or threatening to share PII or other sensitive data without consent.

Exploiting discovered issues for financial gain beyond this program’s rewards.

Circumventing these procedures or performing unauthorized testing outside the stated scope.

Eligibility

Reports must be submitted to [email protected]; external platforms are not permitted.

Submitters must comply with kyc/kyb requirements where applicable.

Submitters must be able to receive bounty payouts through a method supported by 1024EX.

Confidentiality must be maintained until 1024EX authorizes disclosure.

Findings must be reproducible; classifications and payouts are applied per the current program policy and may evolve.

Individuals materially involved in building the affected code are not eligible for bounties related to that code.

Ineligibility

Reports lacking sufficient detail: missing step-by-step instructions, PoC, or reproducible artifacts.

Vulnerabilities requiring unreasonable or highly unlikely user behavior.

Issues caused by unsupported environments (e.g., outdated OS/browsers, legacy software not supported by 1024EX).

Findings that depend on root/jailbroken devices or nonstandard device modifications.

Flaws in third-party tools/libraries that do not create a direct 1024EX risk.

Non-security bugs (minor performance/UI defects) without a security impact.

Findings contingent on unrealistic market conditions that do not reflect plausible real-world scenarios.

General conditions

Submissions that fail to meet program requirements or fall outside scope/ineligibility rules will not receive payment.

1024EX reserves sole discretion to validate, classify, and determine rewards for submissions.

All submissions become the property of 1024EX; we may use, modify, or disclose them for security purposes.

Classification examples

(indicative, non-exhaustive; exact tiers follow the latest 1024EX policy)

Critical: Credible loss of user funds; violation of core execution invariants; cross-component flaws enabling arbitrary balance changes or unauthorized liquidation/withdrawal.

High: Network or service downtime without incorrect state; cross-tenant data access; order-book integrity violations; bypass of risk or price-band checks.

Medium: API performance degradation, rate-limit bypass, or information disclosure increasing attack surface but not directly compromising funds.

For clarity, final severity considers both impact and likelihood, and payouts may vary within tier ranges per the most recent program schedule.