Report & Earn Program – Guidelines & Terms

Last Updated at: Dec 16, 2025

Welcome to TheBenefactor Bug Bounty (Report & Earn) program.
By submitting a report, you agree to follow responsible disclosure and ethical testing practices.

1. Responsible Disclosure (IMPORTANT)

By participating, you agree to the following:

  • Report vulnerabilities privately to us first using the Report & Earn system.

  • Do not publish, share, or disclose any vulnerability publicly until we have reviewed and fixed it.

  • Allow us reasonable time to remediate issues, typically up to 90 days, depending on severity and complexity.

  • Do not exploit vulnerabilities beyond what is strictly necessary to demonstrate the issue.

  • Do not access, view, modify, or delete other users’ data at any time.

  • Do not disrupt services, degrade performance, or impact real users.

  • Do not perform denial-of-service (DoS), spam, or automated attacks.

Failure to follow responsible disclosure may result in report rejection and loss of rewards.

2. Testing Rules

  • Smart contract testing must be performed on testnet only.

  • Use minimal, non-destructive techniques.

  • Stop testing immediately if there is risk to users, funds, or platform stability.

3. In-Scope Issues

Eligible examples include:

  • Security vulnerabilities

  • Authentication or authorization issues

  • Smart contract logic flaws (testnet only)

  • UI/UX issues affecting functionality

  • Incorrect balances, calculations, or data display

  • Performance, stability, or crash-related bugs

4. Out-of-Scope Issues

The following are not eligible for rewards:

  • Social engineering or phishing attacks

  • Physical access or device-based attacks

  • Denial-of-service (DoS) attacks

  • Spam, brute force, or automated abuse

  • Third-party services outside our control

  • Issues already known or previously reported

5. Report Requirements

To qualify for a reward, your submission must include:

  • Clear and repeatable steps to reproduce

  • Screenshots, videos, or logs when applicable

  • Environment details (browser, device, OS, network)

  • A brief explanation of impact and risk

Incomplete reports may be rejected.

6. Duplicate Reports

  • Rewards are granted to the first complete and valid report.

  • Duplicate submissions may be marked informational only.

  • Timestamp and report quality determine priority.

7. Rewards & Payments

  • Rewards are paid in $PIF tokens.

  • Amounts depend on the severity, impact, and quality of the report.

  • Rewards are issued after verification and remediation.

  • Payments are typically made within 10 business days of approval.

All reward decisions are final.

8. Legal Safe Harbor

If you act in good faith and follow these guidelines:

  • We consider your research authorized.

  • We will not pursue legal action in connection with your report.

  • Safe harbor does not apply to actions outside these rules.

9. Program Changes

TheBenefactor may modify or terminate this program at any time without prior notice.
All decisions regarding scope, eligibility, and rewards are final.

10. Contact

Questions or clarifications:
📧 [email protected]