Scope:

Our bug bounty program focuses on publicly accessible web applications and services. We're looking for vulnerabilities in:

soonami.io

‍app.foundance.org

‍sni.foundance.org

We're also open to reports on our publicly deployed smart contract addresses. Testing on smart contracts must avoid impacting live funds or services.

Out-of-scope items include anything not listed above, internal systems, social engineering, and DoS attacks.

Please provide a clear Proof of Concept (PoC) and follow responsible disclosure. soonami is entitled to make payments in SNI tokens - locked distribution within 1 year linearly unlock.

Rules and Requirements:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty Disclosure Policy & Guidelines
• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial, is allowed for the moment.
• Please do NOT publish/discuss bugs