Bug Bounty
Rubicon encourages responsible disclosure of security vulnerabilities and may compensate security researchers for valid reports.
Live Sherlock Bug Bounty
Submit smart contract vulnerability reports through the Rubicon Sherlock bug bounty (opens in a new tab). Maximum reward: 15,000 USDC.
Do not publicly disclose an active vulnerability before the Rubicon team has had time to investigate and coordinate a fix.
Reporting
Submit smart contract vulnerability reports through the Rubicon Sherlock bug bounty (opens in a new tab).
For other security reports, or if you are unsure whether your report fits the Sherlock scope, contact contact@rubicon.finance.
Include as much detail as possible:
- affected contract, app surface, or repository
- impacted chain and contract address, if applicable
- reproduction steps
- proof of concept, if safe to share
- potential impact
- suggested remediation, if known
Eligibility
Valid vulnerability reports may be eligible for bounties through Sherlock, paid directly, or paid through the Rubicon Forum (opens in a new tab) DAO process depending on scope and severity.