Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Bug bounty program

MemeMax is committed to maintaining the security, integrity, and availability of its platform. This Bug Bounty Program is intended to encourage responsible disclosure of security vulnerabilities that may impact MemeMax users, infrastructure, or protocol components.

Participation in this program is subject to the terms and conditions set forth below.

Scope

In-Scope Vulnerabilities

The following categories of vulnerabilities may be eligible for rewards if they affect MemeMax in a live or realistically exploitable environment:

  • Smart contract vulnerabilities that could result in loss of user funds, incorrect state transitions, or violations of core protocol logic

  • Flaws affecting order execution, margin calculations, liquidation mechanisms, or settlement processes

  • Infrastructure or network vulnerabilities that could cause platform downtime, degraded performance, or incorrect system behavior

  • Critical API vulnerabilities that materially impact trading operations or risk management

Out-of-Scope Vulnerabilities

The following are not eligible for bounty rewards:

  • UI/UX issues without security implications

  • Vulnerabilities in third-party software, services, wallets, browser extensions, or dependencies that do not result in a direct MemeMax security impact

  • Issues requiring unrealistic user behavior, extreme or impractical market conditions, or social engineering

  • Vulnerabilities dependent on outdated, unsupported, or modified user devices or software

  • Theoretical or speculative issues without a demonstrable and reproducible security impact

Submission Requirements

All submissions must include sufficient detail to allow MemeMax to independently reproduce the reported issue. A complete submission must include:

  • A clear description of the vulnerability and its potential impact

  • Step-by-step reproduction instructions

  • A proof of concept (PoC), exploit demonstration, or relevant transaction data where applicable

  • Supporting materials such as logs, screenshots, or videos, if relevant

Reports must be submitted via email to: security@mememax.com

If multiple parties report the same vulnerability, only the first complete and valid submission will be considered.

Reward Structure

Rewards are paid in USDC and are determined based on the severity, impact, and likelihood of the vulnerability. MemeMax reserves full discretion in vulnerability classification and reward determination.

Severity Levels and Bounty Ranges

  • Critical (up to $25,000) Vulnerabilities that could result in significant loss of user funds, compromise core protocol integrity, or cause systemic failures.

  • High (up to $10,000) Issues that materially affect trading, risk controls, or platform availability without directly enabling large-scale fund loss.

  • Medium (up to $2,500) Vulnerabilities that impact specific users, APIs, or performance with limited systemic risk.

  • Low (up to $500) Issues with constrained impact or requiring significant user interaction to exploit.

Reward amounts may vary within each range based on real-world risk and exploitability.

Prohibited Activities

The following activities are strictly prohibited and will render submissions ineligible:

  • Testing on mainnet in a manner that causes or may cause service disruption, loss of funds, or degraded availability

  • Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks

  • Phishing, social engineering, impersonation, or physical security attacks

  • Accessing, modifying, or attempting to access data belonging to other users without authorization

  • Public disclosure of vulnerabilities prior to remediation and explicit approval

  • Ransom demands, extortion, or threats

  • Exploiting vulnerabilities for personal gain beyond the scope of this program

All testing must be conducted in good faith and strictly within the defined scope.

Eligibility

To be eligible for a bounty reward, participants must:

  • Be the first to submit a valid and complete report

  • Comply with any applicable KYC/KYB requirements

  • Be able to receive USDC payouts

  • Maintain confidentiality regarding vulnerabilities and communications until authorized disclosure

  • Not be a current or former MemeMax employee, contractor, or contributor to the affected codebase

Submissions via third-party platforms or intermediaries will not be accepted.

Legal Safe Harbor

MemeMax agrees not to pursue legal action against researchers who act in good faith, comply with this program, and responsibly disclose vulnerabilities. This assurance does not apply to activities that are malicious, negligent, or outside the scope of this program.

General Terms

  • MemeMax reserves the right to reject any submission that does not meet program requirements

  • MemeMax retains sole discretion over vulnerability classification, reward eligibility, and payout amounts

  • All submitted materials become the property of MemeMax and may be used for security analysis, remediation, or disclosure purposes

  • Program terms, scope, and reward ranges may be modified or terminated at any time without prior notice

PreviousRisksNextOfficial links

Last updated