Bug Bounty Program

Help secure the Pi ecosystem by identifying vulnerabilities in Mrwain’s DApps. Earn Pi rewards and contribute to a transparent, decentralized future.

About Our Bug Bounty Program

The Mrwain Organization is committed to building secure and reliable DApps for the Pi Network. Our Bug Bounty Program invites security researchers, developers, and Pi community members to identify and report vulnerabilities in our platforms, ensuring a safe and transparent ecosystem.

Eligibility and Scope

In-Scope Assets: All Mrwain DApps (Quantum Pay, TruthWeb, Cloudy, Droplink, TaskHub, Salenus, Trend Forge, Update) and their associated smart contracts and APIs.
Eligible Vulnerabilities: Includes but not limited to XSS, SQL injection, authentication bypass, privilege escalation, and blockchain-specific issues like double-spending or smart contract vulnerabilities.
Out-of-Scope: Social engineering, DDoS attacks, physical attacks, or vulnerabilities in third-party services not directly controlled by Mrwain.
Participants: Open to all individuals and teams, except Mrwain employees or contractors involved in DApp development.

Reward Structure

Critical

Up to 10,000 Pi for vulnerabilities that could lead to significant loss of funds or data breaches.

High

Up to 5,000 Pi for vulnerabilities that impact user accounts or system integrity.

Medium

Up to 2,000 Pi for vulnerabilities with moderate impact, such as limited data exposure.

Low

Up to 500 Pi for minor issues with low impact, such as UI bugs or non-exploitable flaws.

Rewards are paid in Pi and may vary based on the severity and impact of the reported issue. Exceptional contributions may receive additional recognition in our Hall of Fame.

How to Submit a Bug

Identify the Issue: Thoroughly test our DApps to find potential vulnerabilities.
Document the Bug: Provide a clear description, including steps to reproduce, affected DApp, and potential impact.
Submit Your Report: Email your findings to security@mrwain.org with the subject “Bug Bounty Submission.”
Review Process: Our security team will evaluate the report within 7 business days and follow up with next steps.
Receive Rewards: If the bug is valid, you’ll receive Pi rewards based on the severity, along with recognition if eligible.

Frequently Asked Questions

What types of bugs are eligible for rewards?

Eligible bugs include security vulnerabilities in our DApps, such as code execution, data leaks, or smart contract flaws. Non-security issues like UI bugs may qualify for low-tier rewards.

How long does it take to receive a response?

Our team aims to acknowledge your submission within 48 hours and provide a detailed response within 7 business days.

Can I report bugs anonymously?

Yes, anonymous submissions are accepted. However, providing contact information helps us follow up for clarification and reward distribution.

Are there any legal concerns?

We encourage responsible disclosure. As long as you follow our guidelines and do not cause harm, we will not pursue legal action for your testing activities.