Extended Documentation
  • ABOUT EXTENDED
    • Vision and Roadmap
    • Technical Architecture
    • Team
  • EXTENDED Resources
    • Trading
      • Trading Accounts and Margin
      • Trading Rules
      • Margin Schedule
      • Order Cost
      • Order Types
      • Trading Fees and Rebates
      • Liquidation Logic
      • Funding Payments
      • Oracle Prices
    • Account Operations
      • Account Creation
      • Deposits and Withdrawals
    • Referrals
    • Points
    • More
      • Testers Program
      • Leaderboard
      • Platform Outage
      • Testnet
      • Smart Contract Audits
      • Bounty program
      • Brand Kit
    • Legal
      • Terms of Use
      • Statement of Risk
      • Restricted Countries
      • Privacy Policy
  • Extended API
    • API Documentation
Powered by GitBook
On this page
  1. EXTENDED Resources
  2. More

Bounty program

We offer rewards for identifying and reporting bugs or vulnerabilities that critically affect the Extended Exchange in a live environment, including those that could cause functionality disruptions or unintended financial consequences.

Program Rewards

Rewards will be paid in USDC, with amounts determined at Extended’s sole discretion based on the severity of the vulnerability. Payout ranges are as follows:

  • Critical (up to $500,000): Bugs or exploits causing unintended financial consequences.

  • High (up to $50,000): Issues leading to network downtime or liveness failures.

  • Medium (up to $5,000): Performance issues affecting the API server.

All bounty submissions will be classified accordingly, though classification criteria may change over time.

Submission Process

  • Prepare a detailed report, including clear reproduction steps and a proof of concept.

  • Submit your report to security@extended.exchange

  • If multiple individuals or entities report the same bug, only the first submission will be considered.

  • Rewards will be distributed in USDC on Ethereum for responsibly disclosed bugs, based on severity.

  • We commit not to take legal action against researchers acting in good faith and following program guidelines.

  • We appreciate the time and effort put into every bug report.

Eligibility

To be eligible:

  • You must be the first to report the vulnerability.

  • The vulnerability must qualify under the program.

  • You must report any vulnerability within 24 hours of discovery.

  • You must not be a current or former employee or contractor of Extended.

  • You must comply with KYC/KYB policies.

  • You must maintain confidentiality until authorized for disclosure.

  • We must be able to reproduce your findings.

  • Contributors to the development of the affected code are not eligible to submit findings on that code.

The Extended Security Team also actively searches for vulnerabilities. We appreciate cooperation in respecting final decisions and avoiding repeated negotiations.

Program Rules

  • The SDK is out of scope for the bounty program.

  • Do not use web application scanners for automated vulnerability scanning that generates excessive traffic.

  • Avoid using automated scanners to spam forms or create multiple accounts.

  • Avoid causing damage or limiting the availability of products, services, or infrastructure.

  • Do not compromise personal data or cause service interruptions or degradation.

  • Do not access or alter other users' data—keep all tests confined to your own accounts.

  • Conduct testing strictly within the defined scope.

  • Do not exploit DoS/DDoS vulnerabilities, engage in social engineering attacks, or participate in spamming.

  • Stay within legal and program-defined boundaries.

  • Do not disclose details of discovered vulnerabilities to anyone outside authorized company personnel without explicit permission.

PreviousSmart Contract AuditsNextBrand Kit

Last updated 10 days ago