Program Overview
Alto is committed to the security of our protocol and the safety of our users' funds. We welcome security researchers and the community to help us identify and fix vulnerabilities through our Bug Bounty program.
Scope
The following are in scope for our bug bounty program:
- Alto smart contracts deployed on mainnet
- Critical infrastructure and backend systems
- Web application security vulnerabilities
- Cryptographic implementation issues
Rewards
Rewards are determined based on the severity and impact of the vulnerability:
- Critical: Up to $100,000
- High: Up to $50,000
- Medium: Up to $10,000
- Low: Up to $1,000
How to Report
To report a vulnerability, please email security@alto.money with a detailed description of the issue, steps to reproduce, and potential impact. We aim to respond to all reports within 48 hours.
Rules
To be eligible for a reward, you must:
- Be the first to report the vulnerability
- Not exploit the vulnerability beyond what is necessary to demonstrate it
- Not disclose the vulnerability publicly before it has been fixed
- Make a good faith effort to avoid privacy violations and data destruction