Fix #13: Bug Bounty Request

[Stackwyre]

Resolves #13

Changes

• SECURITY.md

Fixes #13

Tested locally. Happy to address any review feedback.

[loopghost]

Hey @Stackwyre , thanks for taking care of this so quickly. I really appreciate the team’s commitment to improving the security disclosure process.

I reviewed the new SECURITY.md and it looks good to me overall.

One small suggestion: under “Contact the maintainers directly”, it would be helpful to clarify which platform those handles refer to, for example GitHub, X, Telegram, etc. Right now it may not be immediately clear to external researchers how they should reach out through those handles.

Regarding the bug bounty section, HackenProof could be worth considering when the team is ready to move forward with a formal program. Personally, as a Web3 security researcher, I’ve had very good experiences with HackenProof, and I’d be happy to make an introduction to their team privately. They also have a strong network of Web3 security researchers.

Thanks again for the quick response here. Once the maintainer contact channels are clarified, I’d be happy to follow up privately as well.

[loopghost]

Under “Contact the maintainers directly”, it would be helpful to clarify which platform those handles refer to, for example GitHub, X, Telegram, etc. Make sure to be publicly reachable through that contact method (i.e. having your DMs open to everyone if it's X). Right now it may not be immediately clear to external researchers how they should reach out through those handles.

[loopghost]

Hey @Stackwyre @calummoore ,

Is there any update on this?

If you’re moving forward with a bug bounty program, I’d strongly recommend publishing clear reward ranges by severity, along with a detailed and well-defined scope. Transparent rules are one of the key factors that attract high-quality security researchers. In contrast, programs with vague terms often raise concerns within the whitehat community, as ambiguity can be used to dispute valid findings or avoid fair payouts. As a result, experienced researchers tend to avoid spending time on such targets.

For severity assessments, most mature programs use Immunefi’s Vulnerability Severity Classification System:
https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/

As a reference, many established DeFi protocols adopt reward structures similar to:

• Critical: min. $15,000 and up to 10% of funds at risk
• High: $5,000–$10,000+
• Medium: around $5,000
• Low: $1,000–$2,500

Having predefined reward ranges significantly increases researcher participation and trust in the program.

Looking forward to seeing this move ahead. Given Payy’s TVL, I believe an official bug bounty program is not only justified but an important component of the project’s overall security posture.