Bug Bounty Program

We reward the ones who find real problems.

Introduction

We run a responsible bug bounty program to:

  • Protect our users and the Gen6 ecosystem.

  • Encourage responsible disclosure of security and privacy issues.

  • Reward researchers fairly in GSX for verified, impactful findings.

Reward Pool of the Bug Bounty: 50 000 GSX

Scope

In-scope:

  • Gen6.App (content pages, user accounts, authentication flows, image uploads, attachments, comment systems, API endpoints used, backend, OS).

  • Gen6 Public Blockchain

Out-of-scope:

  • Social engineering, phishing, or attacks requiring physical access.

  • Third-party services not operated by Gen6 (unless the issue clearly originates from our integration).

  • Denial-of-Service attacks on production system (we will not reward or tolerate attempts that harm availability). You can test DoS attacks locally tho.

If you are unsure whether something is in scope, submit it and we'll triage.

Reward tiers (paid in GSX)

Rewards are determined by impact, exploitability, and the quality of your report.

  • Small

    • Low-impact bugs / minor logic issues / UI bugs that could lead to confusion or small privacy leaks. Reward: 10 – 50 GSX

  • Medium

    • Bugs that allow user impersonation, escalation of privileges, moderate data exposure, or persistent misconfigurations. Reward: 50 – 250 GSX

  • Critical

    • Remote code execution, full database leaks, broken authentication allowing full account takeover, secret key exposure, or any vulnerability that allows large-scale compromise. Reward: Up to 3,000 GSX

Amounts within a tier depend on reproducibility, impact, and whether an exploit exists. Multiple valid reports for the same bug will be coordinated so credit and reward are allocated fairly.

Severity guidance (How we judge)

We consider and document in triage. The impact, exploitability, scope and user harm. We value clear exploitability: a theoretical vulnerability with no realistic exploit scores lower than a practical, easily-exploitable bug.

How to submit a report

Send an email to [email protected] with subject Bug Bounty — [one-line summary]. For encryption, you can use ProtonMails inbuilt encryption feature. Make sure to include:

  1. Title / short summary

  2. Impact rating (your estimate):

    Small / Medium / Critical

  3. Full reproduction steps

    How you reproduce the bug. Examples: Screenshots, command lines, HTTP requests, screenshots, video (if helpful). The clearer, the faster we can triage.

  4. Proof of concept (PoC)

    How you reproduce the bug. Examples: exploit code, curl commands, or step-by-step that demonstrates the issue. If PoC is destructive, include a safer, equivalent demonstration. If a screenshot explains all, that enough too.

  5. Test account / affected account (if relevant)

    Provide a test account we can use or steps to reproduce on our test environment.

  6. Timestamp & Environment

    Date/time (UTC), browser/OS, your IP (optional).

  7. Suggested mitigation

    Optional but appreciated!

  8. Disclosure preference

    Coordinated disclosure timeline or public disclosure allowed after fix (default: coordinated).

Bug Report Template

Title:

Date (UTC) and envitonment:

Impact rating:

Reproduction steps:

Proof of Concept:

Test account:

Suggested mitigation:

Disclosure preference:
Coordinated (change it if you want).

Eligibility & rules

  1. Be a good-faith tester or security researcher. Do not access, modify, or exfiltrate user data beyond what is necessary to demonstrate the issue.

  2. Do not perform social engineering, spam, or denial-of-service testing on production system.

  3. Unsafe or destructive testing that damages user data or availability may be excluded from rewards.

  4. Submit only one report per issue. If your submission is substantially the same as another, we will coordinate credit.

  5. Employees and contractors of Gen6 are eligible unless the policy for their role states otherwise — check with us.

Safe harbor

If you follow this program and act in good faith to avoid privacy invasion, data destruction, or service disruption, Gen6 will not pursue legal action for the tested activity. This safe harbor applies only while you follow the program rules and scope.

Triage & Response timeline

We aim to Acknowledge your report within 72 hours and provide a coordinated disclosure plan or status update within 7 business days. We patch and pay bounties quickly, typical payout target is 10-14 days after a validated fix, but may vary with severity and legal checks.

We will keep you updated during triage. If we require more info we will ask. Clear PoCs speed everything up.

Bounty transfer process

  • We only send GSX to your provided reward wallet.

  • We do not require KYC.

Contact & Legal

Email: [email protected] Please encrypt sensitive (critical level) submissions through Protonmail (or later using NCrypt). By submitting a report you agree to follow this program's rules.

We reserve the right to modify bounty amounts, scope, or terms; we will publish changes on the wiki and honor reports submitted under prior terms when practical.

Final notes

We love thoughtful, well-documented reports more than flashy exploits.

A clear proof that lets us reproduce and fix a bug will always outshine a dramatic but vague claim. Help us keep Life in Gen6 reliable, private, and resilient and we gonna thank you with decent amounts of GSX, public credit (if you want), and the eternal admiration of our community 🙏

~ Gen6 Security Expert Team

PreviousGen6 GovernanceNextTechnology Core

Last updated

Was this helpful?