Bug Bounty
Find a critical bug. Earn up to $50,000.
We reward security researchers who help us keep Quamrailsinvestir safe. Responsible disclosure, fair compensation, safe harbor.
Rewards
Bounty tiers
Critical
Up to $50,000
Fund loss, unauthorized access, oracle manipulation
High
Up to $15,000
Significant disruption, denial of service, privilege escalation
Medium
Up to $5,000
Limited impact, information disclosure, logic errors
Low
Up to $500
Informational, best practices, minor UI issues
Scope
What's in and out
In scope
- All Quamrailsinvestir smart contracts on Arbitrum
- Platform web application (app.quamrailsinvestir.cn.mt)
- API endpoints
- Oracle integration logic
- Admin multisig workflows
Out of scope
- Third-party services (Chainlink, Arbitrum, Cloudflare)
- Social engineering attacks
- Physical security
- DDoS attacks
- Marketing site (quamrailsinvestir.com) — unless it affects app security
Rules
Rules of engagement
- Do not exploit beyond proof-of-concept
- Do not access or modify other users' data
- Do not disclose publicly before fix is deployed
- Do not use automated scanners that generate excessive traffic
- Act in good faith at all times
We will not pursue legal action against researchers who follow this policy in good faith.
Process
How to report
Discover
Find a vulnerability within scope.
Report
Email security@quamrailsinvestir.com with description, reproduction steps, impact assessment, and your wallet address.
Triage
We acknowledge within 24 hours. Initial assessment within 72 hours.
Reward
Bounty paid in USDC after fix is verified and deployed.
Hall of Fame
No submissions yet. Be the first.