We pay security researchers who find real bugs. Our promise is simple: you bring us a real finding, we pay you a real bounty, and we never threaten you with legal action for doing your job.Documentation Index
Fetch the complete documentation index at: https://docs.auora.gg/llms.txt
Use this file to discover all available pages before exploring further.
In scope
- All Auora smart contracts on Polygon (asset prediction, factory, tournaments, referral)
- Our public web application
- Our public APIs
- Any endpoint that handles signed messages, oracle data, or user authentication
Out of scope
- Third-party services we depend on (oracle networks, RPC providers, hosting providers — please report those to the upstream vendor)
- Social engineering of Auora employees
- Denial-of-service attacks against our public infrastructure (please don’t)
- Issues already reported by another researcher or already fixed
Reward tiers (indicative)
| Severity | Description | Reward |
|---|---|---|
| Critical | Direct theft of user funds, oracle bypass, settlement forgery | Up to $250,000 |
| High | Permanent freezing of user funds, round resolution manipulation | Up to $50,000 |
| Medium | Temporary DoS of round settlement, info leak of in-window picks | Up to $10,000 |
| Low | Hardening recommendations, minor info disclosure | Up to $1,500 |
How to report
Email dev@auora.gg with:- A clear description of the vulnerability
- Steps to reproduce
- Impact assessment
- Any proof-of-concept code (optional but appreciated)