# Bug bounty program

{% hint style="warning" %}
Raydium’s official bug bounty program is hosted on Immunefi: <https://immunefi.com/bounty/raydium/>
{% endhint %}

Raydium maintains a public bug bounty program covering select open-source smart contracts.\
The program is focused on preventing **theft, loss, or freezing of funds**.

UI-only issues are **not eligible** for rewards.

All vulnerability disclosures must be submitted through the official Immunefi program or via the disclosure channels listed below.

***

#### Rewards

Rewards are determined based on impact severity using the\
[Immunefi vulnerability severity classification system v2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/).

**Smart contracts**

| Severity     | Reward                   |
| ------------ | ------------------------ |
| **Critical** | USD 50,000 – USD 505,000 |
| **High**     | USD 40,000               |
| **Medium**   | USD 5,000                |

* All reports **must include a proof of concept (PoC)** demonstrating exploitability.
* **Code is required**. Explanations or statements alone are not accepted.
* **Critical and high** severity reports must also include a **suggested fix**.

Critical smart contract vulnerabilities are capped at **10% of economic damage**, primarily considering funds at risk, as well as PR and branding impact at the team’s discretion.\
A **minimum payout of USD 50,000** applies to all critical vulnerabilities.

Payouts are handled directly by Raydium and are denominated in USD.\
Payouts may be facilitated in **RAY, SOL, or USDC**.

***

#### Impacts in scope

Only the following impacts are considered in scope. All other impacts are out of scope, even if they affect assets listed elsewhere.

**Critical**

* Direct theft of user funds, whether at rest or in motion (excluding unclaimed yield)
* Permanent freezing of user funds
* Vulnerabilities that enable draining or theft of funds without user transaction approval

**High**

* Theft of unclaimed yield
* Permanent freezing of unclaimed yield
* Temporary freezing of user funds
* Vulnerabilities that intentionally or unintentionally alter the value of user funds

**Medium**

* Smart contracts unable to operate due to lack of token funds
* Block stuffing for profit
* Griefing attacks (no direct profit motive, but user or protocol harm)
* Theft of gas
* Unbounded gas consumption

***

#### Out of scope and rules

The following vulnerabilities are **not eligible** for rewards:

* Attacks already exploited by the reporter
* Attacks requiring access to leaked private keys or credentials
* Attacks requiring access to privileged addresses (governance, strategist)

**Smart contracts and blockchain**

* Incorrect data supplied by third-party oracles
  * This does **not** exclude oracle manipulation or flash-loan attacks
* Basic economic governance attacks (e.g. 51% attacks)
* Lack of liquidity
* Best-practice critiques
* Sybil attacks
* Centralization risks

***

#### Prohibited activities

The following actions are strictly prohibited:

* Testing against **mainnet or public testnet contracts**
* Testing involving pricing oracles or third-party smart contracts
* Phishing or social engineering attacks
* Testing third-party systems or applications (e.g. browser extensions, SSO providers)
* Denial-of-service attacks
* Automated testing that generates excessive traffic
* Public disclosure of unpatched vulnerabilities under embargo

> Public testnets are provided for reference only.\
> **All testing must be performed on private test environments.**

***

#### Disclosure and contact

For vulnerabilities not submitted via Immunefi, please email:

📧 **<security@reactorlabs.io>**

Include:

* A detailed description of the attack vector
* A proof of concept for high and critical severity issues

Due to an influx of AI-generated reports and spam, the team will limit responses to reports of high quality. For active triage, please submit reports to ImmuneFi.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.raydium.io/raydium/protocol/bug-bounty-program.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.