1. Purpose & Philosophy
YieldGuard is committed to the security of our users’ assets and the stability of the broader on-chain Treasury-bill ecosystem. We operate a responsible-disclosure programme—hosted on Immunefi and mirrored here—to provide researchers with clear, safe and rewarding channels to report vulnerabilities.
2. Scope
| Layer | In Scope | Notes |
|---|---|---|
| Smart-contracts |
| Verify addresses on our docs site |
| Front-end |
| Including source maps & sub-resource integrity |
| Off-chain micro-services | Rebalance Cron, Oracle Watcher, AI Agent Orchestrator | Hosted in AWS Fargate—see architecture docs |
| API & Subgraph |
| Rate-limit bypass and auth flaws included |
| Docs & Marketing site |
| XSS, CSRF, cache poisoning |
2.1 Out-of-Scope Examples
- Denial-of-Service (volumetric or application-layer)
- Social engineering or phishing of staff or users
- Third-party platforms (e.g., Discord, X/Twitter), unless they lead to direct compromise
- Automated scanners with no PoC or reproducibility
3. Eligibility Requirements
- Be the first to report an unknown, non-public vulnerability.
- Provide a clear proof-of-concept (PoC) that reproduces the issue.
- Abstain from exploiting the vulnerability beyond what is necessary to demonstrate impact.
- Comply with all applicable laws and regulations.
- For rewards ≥ 10,000 USDC, complete a one-time KYC check to satisfy AML rules.
4. Safe Harbour
We will not pursue legal action or refer law enforcement for good-faith, non-malicious research that complies with this policy. Any related contractual, DMCA, or Anti-Hacking claims will be waived. If in doubt, ask first via security@yieldguard.finance.
5. Disclosure Process & SLA
- Acknowledgement: Within 24 hours of receipt
- Triage & Severity rating: ≤ 5 business days
- Fix or mitigation: Target ≤ 30 days for Critical/High, ≤ 60 days for Medium/Low
- Public disclosure: Reporter may publish after: (a) patch released or (b) 90 days from acknowledgement—whichever is sooner
- Payout: Within 7 days of patch or mutual disclosure agreement
We may request up to two 30-day extensions for complex fixes; reporters may decline, but must defer public release until the extension expires.
6. Severity Classification & Reward Matrix
Rewards are paid in USDC and benchmarked against the OWASP–EVM severity model. The programme has a 75,000 USDC rolling pool, topped up quarterly.
| Severity | Impact Examples | Reward (USDC) |
|---|---|---|
| Critical | Theft or permanent loss of user funds, bypass of multi-signature, mint/burn imbalance, arbitrary upgrade | 20,000 – 40,000 |
| High | Temporary DoS of vault, incorrect NAV calc > 0.5%, oracle manipulation affecting > $100 k TVL | 7,500 – 15,000 |
| Medium | Circumvention of issuer caps, KYC bypass, re-entrancy freezing funds < $100 k, gas griefing | 2,500 – 7,000 |
| Low | Minor rounding errors, UI-only XSS, information disclosure without user impact | 500 – 2,000 |
| Informational | Best-practice suggestions, typos, non-exploitable issues | Swag & leaderboard points |
Final rewards within the band depend on exploitability, quality of report, and completeness of PoC.
7. How to Report
- Platform (preferred): Immunefi – YieldGuard programme
- Email: security@yieldguard.finance (PGP fingerprint:
0xF1E3 7D4C A2B5 3AF7 B9C8 1F2A 5E8C 1749 A7FF D024)
Please include:
- Overview & affected components
- Step-by-step reproduction
- Expected vs actual behaviour
- Impact assessment & severity suggestion
- Solidity diff or transaction trace if on-chain
8. Duplicates & Previous Reports
- Only the first valid report for a specific vulnerability is eligible.
- Issues already known internally or publicly are ineligible.
9. Exclusions & Non-Qualifying Findings
- Reports without a working PoC
- Self-XSS or rate-limit spam tests
- Unencrypted credentials in memory dumps without a clear exploit path
- Lack of DNSSEC, SPF, or other common configurations outside core infrastructure
10. Hall of Fame & Leaderboard
Researchers may opt to be listed on our public leaderboard with an alias, severity points, and total rewards.
11. Program Changes
YieldGuard may amend reward ranges or scope with a 7-day notice on Immunefi & docs; submitted reports remain governed by the policy in effect at the time of submission.
12. Contact
PGP-encrypted e-mails are strongly recommended.
- Security hotline (Signal): +1-415-555-0139 (text only)
- Status page & live incident updates: status.yieldguard.finance