Bug Bounty Program¶
Community-Driven Audit¶
During the testnet phase, Trestle runs a Community-Driven Audit program to identify and fix vulnerabilities before mainnet launch.
Reward Structure¶
| Severity | Reward | Future Value |
|---|---|---|
| Critical | Governance Points + "Security Scout" status | Priority allocation for Governance Token airdrop |
| High | Governance Points + Security Scout status | Recognition in Hall of Fame |
| Medium | hNOBT points | Future conversion value |
| Low | Recognition only | Social status |
Reporting Process¶
- Identify a vulnerability
- Document with steps to reproduce
- Submit via:
- GitHub Issues (create private report)
- Discord Security Channel
- Wait for review (48-72 hours for initial response)
- Receive reward if valid
What Qualifies¶
- Smart contract vulnerabilities
- Frontend security issues
- API/Worker misconfigurations
- Document verification bypasses
What Doesn't Qualify¶
- UI/UX issues (not security)
- Missing features
- Already reported issues
- Social engineering attacks
Hall of Fame¶
Contributors whose reports are accepted will be: - Listed in the Security Contributors section - Eligible for Security Scout NFT badge - Considered for future Governance Token allocation
Future: Immunefi Transition¶
Upon Mainnet launch with TVL: - Cash rewards via Immunefi or similar platform - Higher reward tiers (\(100-\)100,000+ depending on severity) - Public disclosure process