# Bug Bounty If you found a vulnerability in our smart contracts or system, please send an email to ## Out of Scope & Rules ### The following vulnerabilities are excluded from the rewards and/or prohibited: * Attacks that the reporter has already exploited themselves, leading to damage * Attacks requiring access to leaked keys/credentials * Attacks requiring access to privileged addresses (governance, multisigs, admins) ### Websites and Apps * Theoretical vulnerabilities without any proof or demonstration * Attacks requiring physical access to the victim device * Attacks requiring access to the local network of the victim * Reflected plain text injection ex: url parameters, path, etc. * This does not exclude reflected HTML injection with or without javascript * This does not exclude persistent plain text injection * Self-XSS * Captcha bypass using OCR without impact demonstration * CSRF with no state modifying security impact (ex: logout CSRF) * Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without - monstration of impact * Server-side non-confidential information disclosure such as IPs, server names, and most stack traces * Vulnerabilities used only to enumerate or confirm the existence of users or tenants * Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows * Lack of SSL/TLS best practices * DDoS vulnerabilities * Feature requests * Issues related to the frontend without concrete impact and PoC * Best practices issues without concrete impact and PoC * Vulnerabilities primarily caused by browser/plugin defects * Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc. * Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass * Best practice concerns * Recently (less than 30 days) disclosed vulnerabilities in the supply chain * Vulnerabilities affecting users of outdated browsers and/or platforms * Social engineering or phishing attemps * Vulnerabilities that require specific third party software on the user’s machine that is not part of the general - ecase (i.e. browser + wallet add-on) * Clickjacking/Tapjacking unless performed on a subdomain of rango.exchange * Tabjacking unless performed on a subdomain of rango.exchange * The blog hosted at blog.rango.exchange ### The following activities are prohibited by this bug bounty program: * Any testing with mainnet or public testnet contracts; all testing should be done on private testnets * Any testing with pricing oracles or third party smart contracts * Attempting phishing or other social engineering attacks against our employees and/or customers * Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks) * Any denial of service attacks * Automated testing of services that generates significant amounts of traffic * Public disclosure of an unpatched vulnerability in an embargoed bounty ### Smart Contracts and Blockchain * Incorrect data supplied by third party oracles (Not to exclude oracle manipulation/flash loan attacks) * Basic economic governance attacks (e.g. 51% attack) * Lack of liquidity * Best practice critiques * Sybil attacks * Centralization risks