Daffy Bug Bounty Program

We believe security is a shared responsibility. Help us protect Daffy's raffle platform and its users by responsibly disclosing vulnerabilities — we reward every valid finding.

$50K
Max Reward
48h
Response Time
100%
Safe Harbor

What's In Scope

Focus your research on our core infrastructure and smart contracts. Out-of-scope findings won't be eligible for rewards.

In scope
  • Smart Contracts
    All Daffy raffle and treasury contracts deployed on mainnet
  • Backend API
    Core API endpoints handling raffle logic, entries, and payouts
  • Authentication & Access
    Wallet auth, session management, and permission systems
  • Frontend (Critical Only)
    XSS with meaningful impact, CSRF affecting funds or entries
Out of scope
  • Smart Contracts (Testnet)
    All Daffy raffle and treasury contracts deployed on testnet
  • UI/UX Issues
    Visual bugs, cosmetic defects, or missing features
  • Rate Limiting / DoS
    Denial of service attacks without demonstrable fund impact
  • Third-Party Services
    Bugs in Privy, Alchemy, Chainlink, or other external providers

Reward Structure

Payouts are determined by impact, exploitability, and affected assets. All rewards are paid in USDC.

Critical
$50,000
up to max payout
Examples
  • ✓Smart contract fund drainage
  • ✓Unauthorized winner manipulation
  • ✓Private key exposure
  • ✓Protocol-breaking logic flaws
High
$10,000
$5,000–$10,000
Examples
  • ✓Authentication bypass
  • ✓Privilege escalation
  • ✓Mass account takeover
  • ✓VRF result manipulation
Medium
$2,500
$500–$2,500
Examples
  • ✓Single account takeover
  • ✓Sensitive data exposure
  • ✓Stored XSS with impact
  • ✓Payment flow bypasses
Low
$200
$50–$200
Examples
  • ✓Information disclosure
  • ✓Reflected XSS (low impact)
  • ✓Self-XSS
  • ✓Minor misconfigurations

Responsible Disclosure

We're committed to working openly with security researchers. Here's what we ask of you — and what you can expect from us.

Researcher Guidelines
  1. 01
    Do No Harm
    Avoid accessing, modifying, or deleting data that isn't yours. Never disrupt live services or other users.
  2. 02
    Act in Good Faith
    Conduct testing only on accounts you own or have explicit permission to test. Use our testnet environment whenever possible.
  3. 03
    Keep It Confidential
    Do not disclose findings publicly until we've had at least 90 days to investigate and issue a fix.
  4. 04
    Provide a PoC
    Include a clear proof of concept demonstrating the vulnerability. Theoretical issues are not eligible for rewards.
Our Commitment to You

Daffy pledges to engage with every researcher in good faith. Here's what responsible researchers can expect:

  • We will acknowledge your report within 48 business hours of receipt
  • We will not pursue legal action against researchers who follow these guidelines
  • We offer full safe harbor for research conducted per this program's rules
  • We will keep you updated with progress on triage and remediation
  • We credit your contribution in our Hall of Fame upon request
  • Rewards are paid promptly in USDC within 14 days of validation
  • Duplicate reports receive a good-faith acknowledgment; first reporter is rewarded

Report a Vulnerability

Send your findings directly to our security team. Include all required details to ensure the fastest possible triage.

Secure Email
Security@daffys.com
Response within 48 business hours