Bug Bounty Program

7.Exchange operates a bug bounty program to encourage responsible disclosure of security vulnerabilities. If you find a vulnerability, we want to hear from you.

Scope

The bug bounty program currently covers:

• 7.Exchange smart contracts The Diamond Router contracts are in pre-deployment testing. Vulnerabilities found in these contracts during the bounty period are in scope.
• Platform security Critical vulnerabilities affecting the integrity of quotes, execution payloads, or user data.

Out of scope

• Third-party bridge or DEX smart contracts (report these to the respective projects)
• UI/UX bugs that do not have a security impact
• Social engineering attacks
• Denial-of-service attacks
• Issues already known or previously reported

How to report

1. file a ticket with your findings to our bug report panel on Discord.
2. Include a clear description of the vulnerability, steps to reproduce, and the potential impact.
3. Provide any supporting evidence (transaction hashes, code references, proof of concept).
4. Do not disclose the vulnerability publicly before it has been acknowledged and resolved.

Response timeline

• Acknowledgment Within 48 hours of receiving your report.
• Assessment We will evaluate severity and impact within 5 business days.
• Resolution Timeline depends on complexity. We will keep you informed of progress.

Rewards

Rewards are determined based on the severity and impact of the vulnerability. Factors include:

• Potential for fund loss
• Scope of affected users
• Complexity of the exploit
• Quality of the report

Reward amounts are determined at 7.Exchange's discretion and communicated during the assessment phase.

Rules

• Act in good faith. Test only against test environments or your own accounts.
• Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.
• Do not access, modify, or delete other users' data.
• One report per vulnerability. Duplicate reports are not eligible for rewards.
• Compliance with applicable laws is required.