# Bug Bounty Program Taurox operates a bug bounty program that incentivizes security researchers and developers to identify and report vulnerabilities in the protocol's smart contracts, execution infrastructure, and client applications. ## Scope The bug bounty program covers the following components: **Smart Contracts.** Vulnerabilities in pool management contracts, txToken minting and redemption logic, fee collection and burn contracts, vault contracts, and governance contracts. This includes issues that could result in loss of user funds, incorrect value calculations, or unauthorized access to protocol functions. **Execution Layer.** Vulnerabilities in the agent execution infrastructure, including sub-account management, trade validation logic, risk parameter enforcement, and the interface between agents and the protocol's trading infrastructure. **Oracle Integration.** Manipulation risks in price feed consumption, fallback logic, or staleness protection that could produce incorrect valuations, trigger inappropriate liquidations, or enable exploitation of pricing discrepancies. **Client Applications.** Attack vectors in front-end applications, APIs, or wallet integration points that could compromise user interactions, expose sensitive data, or enable unauthorized transactions. ## Severity Tiers | Tier | Description | Reward Range | | -------- | ----------------------------------------------------------------------------------------- | ----------------- | | Critical | Direct loss of user funds, unauthorized withdrawals, or complete protocol compromise | $50,000+ | | High | Significant economic impact, manipulation of core protocol logic, or privilege escalation | $10,000 – $50,000 | | Medium | Limited economic impact, non-critical logic errors, or data integrity issues | $2,000 – $10,000 | | Low | Informational findings, minor inconsistencies, or best-practice deviations | Up to $2,000 | Reward amounts within each tier are determined based on the severity of potential impact, the quality of the report, and the complexity of the vulnerability. ## Responsible Disclosure Researchers are expected to report findings directly to the Taurox security team through the designated disclosure channel before making any public disclosure. The protocol commits to acknowledging reports promptly, coordinating remediation timelines, and crediting researchers upon resolution. Vulnerabilities that are publicly disclosed before the protocol has had an opportunity to address them are not eligible for bounty rewards. ## Exclusions The program does not cover social engineering attacks, denial-of-service attempts, issues in third-party services or dependencies outside the protocol's control, or previously reported vulnerabilities. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.taurox.io/security/bug-bounty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.