Bug Bounty Program Terms

  1. Introduction

This Bug Bounty Program Terms Agreement (“Agreement”) is established by BlockEstateDAO, LLC (“BlockEstateDAO,” “DAO,” “we,” “us,” or “our”) to incentivize security researchers, developers, and ethical hackers (“Participants”) to identify and report security vulnerabilities within the DAO’s smart contracts, web applications, and governance systems. By participating in this program, Participants acknowledge that their eligibility, rewards, and continued participation are subject to compliance with these terms and any modifications announced by BlockEstateDAO.

  1. Definitions
  • Bug Bounty Program – A structured initiative by BlockEstateDAO to encourage responsible disclosure of security vulnerabilities in exchange for rewards.
  • Participant – Any individual or entity that submits security vulnerability reports under this program.
  • Vulnerability – Any flaw, exploit, or weakness that could compromise the security, integrity, or functionality of BlockEstateDAO’s smart contracts, applications, or governance mechanisms.
  • Scope – The set of smart contracts, governance mechanisms, and digital infrastructure covered by this program, excluding third-party dependencies.
  • Reward – Compensation paid in BESD tokens, stablecoins, or other forms approved by the Board subject to treasury fund availability and DAO approval.
  1. Scope of the Program
    3.1 The following components are covered under this program:
  • BlockEstateDAO’s smart contracts, including but not limited to:
    • Profit Distribution Contract
    • Emergency Overrides & Updates Contract
    • Advanced Voting & Delegation Contract
    • On-Chain Real Estate Deed/Title Verification Contract
    • Performance Incentives & Token Grant Contract
    • Project Vault & Proposal Budgeting Contract
    • Governance attack vectors
  • DAO governance mechanisms and security protocols.
  • The official BlockEstateDAO website and associated web applications.

3.2 The following are out of scope:

  • Social engineering attacks (phishing, impersonation, etc.).
  • Physical security vulnerabilities.
  • Issues in third-party smart contracts, oracles, or integrations that are external to BlockEstateDAO’s direct control, including exchange-related vulnerabilities.
  1. Responsible Disclosure
    4.1 Participants must adhere to responsible disclosure principles:
  • Provide a detailed report of the vulnerability, including steps to reproduce it.
  • Allow BlockEstateDAO a reasonable period to remediate the vulnerability before Allow BlockEstateDAO up to 90 days to remediate the vulnerability before disclosing it publicly, unless mutually agreed otherwise.
  • Refrain from exploiting vulnerabilities for personal gain, unauthorized access, or malicious intent.
  • Avoid privacy violations, destruction of data, and service disruptions.
  • Participants must not conduct testing that leads to service disruption, unauthorized fund movement, or irreversible actions on smart contracts. Any violation may result in disqualification and legal action.

4.2 Failure to follow responsible disclosure guidelines may result in disqualification from the program and legal action if applicable.

  1. Reporting Process
    5.1 Participants must submit vulnerability reports through BlockEstateDAO’s designated reporting platform, including:
  • A clear and detailed explanation of the issue.
  • Steps to reproduce and demonstrate the vulnerability.
  • Potential impact assessment.

5.2 Reports should be submitted in good faith, with detailed supporting evidence to demonstrate reproducibility and impact.

  1. Reward Structure
    6.1 Rewards are determined based on severity, impact, and reproducibility:
  • Critical Vulnerabilities (e.g., exploits allowing unauthorized fund transfers or smart contract takeover): Up to $50,000 in BESD tokens or stablecoins
  • High Severity (e.g., significant governance manipulation or DoS attack on smart contracts): Up to $25,000
  • Medium Severity (e.g., privilege escalation within DAO systems, data leaks): Up to $10,000
  • Low Severity (e.g., minor UI flaws or non-exploitable errors): Up to $2,000
  • Exceptional Cases: The Board reserves the right to grant higher payouts for vulnerabilities that pose an existential risk to BlockEstateDAO

6.2 Rewards are subject to review and approval by BlockEstateDAO’s Board and final treasury fund availability.

6.3 Duplicate reports will be rewarded on a first-come, first-served basis.

6.4 Participants receiving rewards above $10,000 may be required to complete KYC verification to comply with anti-fraud and compliance policies.

  1. Disqualification Criteria
    7.1 Participants will not be eligible for rewards if they:
  • Attempt to exploit or manipulate the system for personal gain.
  • Publicly disclose a vulnerability before the expiration of the responsible disclosure period (90 days) or without mutual agreement.
  • Submit false, vague, or misleading reports.
  • Engage in unethical or malicious activity.
  • Automated vulnerability scanning without prior written consent is strictly prohibited and may lead to disqualification.
  1. Confidentiality and Non-Disclosure
    8.1 Participants agree to keep all vulnerability reports confidential until BlockEstateDAO confirms the issue has been resolved.

8.2 Violations of confidentiality terms may result in forfeiture of rewards, disqualification from future participation, and potential legal consequences.

8.3 Unauthorized disclosure of security vulnerabilities may result in legal consequences.

  1. Program Modifications and Termination
    9.1 BlockEstateDAO reserves the right to modify or terminate this program at any time, with reasonable notice given via official DAO communication channels.

9.2 Changes will be announced through official DAO communication channels.

9.3 Program changes will not affect payouts for vulnerabilities reported and validated prior to the modification date, unless explicitly stated otherwise.

  1. Legal Compliance
    10.1 This program is void where prohibited by law, and participants from sanctioned countries are not eligible for rewards.

10.2 Participants must comply with all applicable laws and regulations while participating in the program.

10.3 Participants must not violate any U.S., EU, or international cybersecurity laws while testing or reporting vulnerabilities.

  1. Acknowledgment and Acceptance
    11.1 By submitting a vulnerability report, Participants acknowledge that they have read, understood, and agreed to these terms.

11.2 Final eligibility, reward decisions, and disqualification appeals are subject to the sole discretion of the Board.