# Bounty program We offer rewards for identifying and reporting bugs or vulnerabilities that critically affect the Extended Exchange in a live environment, including those that could cause functionality disruptions or unintended financial consequences. ### Program Rewards Rewards will be paid in USDC, with amounts determined at Extended’s sole discretion based on the severity of the vulnerability. Payout ranges are as follows: * Critical (up to $500,000): Bugs or exploits causing unintended financial consequences. * High (up to $50,000): Issues leading to network downtime or liveness failures. * Medium (up to $5,000): Performance issues affecting the API server. All bounty submissions will be classified accordingly, though classification criteria may change over time. ### Submission Process * Prepare a detailed report, including clear reproduction steps and a proof of concept. * Submit your report to **** * If multiple individuals or entities report the same bug, only the first submission will be considered. * Rewards will be distributed in USDC on Ethereum for responsibly disclosed bugs, based on severity. * We commit not to take legal action against researchers acting in good faith and following program guidelines. * We appreciate the time and effort put into every bug report. ### Eligibility To be eligible: * You must be the first to report the vulnerability. * The vulnerability must qualify under the program. * You must report any vulnerability within 24 hours of discovery. * You must not be a current or former employee or contractor of Extended. * You must comply with KYC/KYB policies. * You must maintain confidentiality until authorized for disclosure. * We must be able to reproduce your findings. * Contributors to the development of the affected code are not eligible to submit findings on that code. The Extended Security Team also actively searches for vulnerabilities. We appreciate cooperation in respecting final decisions and avoiding repeated negotiations. ### Program Rules * The SDK is out of scope for the bounty program. * Do not use web application scanners for automated vulnerability scanning that generates excessive traffic. * Avoid using automated scanners to spam forms or create multiple accounts. * Avoid causing damage or limiting the availability of products, services, or infrastructure. * Do not compromise personal data or cause service interruptions or degradation. * Do not access or alter other users' data—keep all tests confined to your own accounts. * Conduct testing strictly within the defined scope. * Do not exploit DoS/DDoS vulnerabilities, engage in social engineering attacks, or participate in spamming. * Stay within legal and program-defined boundaries. * Do not disclose details of discovered vulnerabilities to anyone outside authorized company personnel without explicit permission. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.extended.exchange/extended-resources/more/bounty-program.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.