PolyWager
Sign InGet Started

Bug Bounty Program

Help us keep PolyWager secure. We reward security researchers who responsibly disclose vulnerabilities in our platform.

Program Active
Up to $25,000 per vulnerability

Reward Tiers

Bounties are determined by severity and impact

Examples of qualifying vulnerabilities

Remote code execution (RCE)
SQL injection with data exfiltration
Authentication bypass on critical systems
Direct theft or manipulation of user funds
Smart contract exploits leading to fund loss
Server-side request forgery (SSRF) with internal access

Bonus rewards may be issued for exceptionally well-written reports, novel attack vectors, or vulnerabilities with significant real-world impact. Final bounty amounts are determined at our discretion based on severity, exploitability, and the quality of the report.

Scope

What is eligible for bounty rewards

In Scope

  • polywager.io and all subdomains

    *.polywager.io

  • API endpoints

    api.polywager.io/v1/*

  • WebSocket connections

    Real-time game & notification channels

  • Smart contracts

    Deployed on-chain contracts

  • Mobile web application

    Responsive web experience

  • Authentication & authorization systems

    Login, registration, OAuth, 2FA

  • Payment & withdrawal systems

    Deposit, withdrawal, and balance logic

Out of Scope

  • Third-party services and integrations

  • Social engineering or phishing attacks

  • Physical attacks against facilities or hardware

  • Denial of service (DoS/DDoS) attacks

  • Spam or rate limiting issues on non-critical endpoints

  • Recently disclosed 0-day vulnerabilities (less than 30 days old)

  • Issues requiring physical access to a user's device

  • Attacks requiring a compromised user account you do not own

Rules of Engagement

Follow these guidelines to remain eligible for rewards

Do not access other users' data

Only use test accounts you own. Never attempt to access, modify, or exfiltrate data belonging to other users.

Do not modify or delete data

Avoid actions that could corrupt databases, alter records, or destroy data. Demonstrate impact in the lowest-risk manner possible.

Do not disrupt the service

Testing must not degrade platform performance or availability for other users. Automated scanning must be rate-limited.

Report vulnerabilities promptly

Submit your findings as soon as reasonably possible after discovery. Do not stockpile vulnerabilities.

90-day coordinated disclosure

Allow us 90 days from the initial report to remediate the vulnerability before any public disclosure.

One vulnerability per report

Submit each vulnerability as a separate report. Chaining vulnerabilities is acceptable when demonstrating combined impact.

First reporter gets the reward

If duplicate reports are received, the reward goes to the first valid submission. We will notify you if a duplicate exists.

How to Report

Submit your findings securely

Contact

security@polywager.io

Primary reporting channel

PGP Encryption Available

Request our public key for encrypted submissions

Response Timeline

24 hours

Acknowledgment of receipt

7 days

Initial assessment and severity rating

30 days

Status update on remediation progress

90 days

Full remediation target

Report Requirements

Include the following in your submission for fastest processing

  • 1

    Detailed description of the vulnerability and affected component

  • 2

    Step-by-step instructions to reproduce the issue

  • 3

    Impact assessment describing the potential damage

  • 4

    Proof of concept (screenshots, videos, scripts, or logs)

  • 5

    Your suggested severity rating with justification

  • 6

    Any recommendations for remediation

Opens your email client with a pre-filled template

Hall of Fame

Recognizing researchers who help secure our platform

Be the First

Our Hall of Fame is waiting for its first inductees. Security researchers who responsibly disclose valid vulnerabilities will be recognized here with their permission.

Name & HandleFinding CountRecognition Tier

Legal Safe Harbor

Your protection when acting in good faith

We will not pursue legal action against security researchers who:

  • Act in good faith to avoid privacy violations, data destruction, and service disruption
  • Only interact with accounts you own or with explicit permission of the account holder
  • Report vulnerabilities to us before disclosing them publicly
  • Follow the rules of engagement outlined on this page
  • Do not exploit a vulnerability beyond what is necessary to demonstrate its existence

If legal action is initiated by a third party against you in connection with activities conducted under this program, we will take steps to make it known that your actions were conducted in compliance with this policy.

We consider security research conducted under this policy to be authorized under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and similar laws. We will not file a complaint against you for circumventing any technological measures we have used to protect the applications in scope.

This safe harbor does not apply to violations of any laws that are not related to security research. PolyWager reserves the right to modify or terminate this program at any time. This policy does not constitute an employment relationship or contract.

Found a vulnerability?

We appreciate your help in keeping PolyWager safe for everyone. All valid reports are rewarded, and responsible researchers are publicly recognized.