> ## Documentation Index
> Fetch the complete documentation index at: https://docs.auora.gg/llms.txt
> Use this file to discover all available pages before exploring further.

# Bug Bounty

> Real money for real findings. No legal threats. No bait-and-switch.

We pay security researchers who find real bugs. Our promise is simple: **you bring us a real finding, we pay you a real bounty, and we never threaten you with legal action for doing your job.**

## In scope

* All Auora smart contracts on Polygon (asset prediction, factory, tournaments, referral)
* Our public web application
* Our public APIs
* Any endpoint that handles signed messages, oracle data, or user authentication

## Out of scope

* Third-party services we depend on (oracle networks, RPC providers, hosting providers — please report those to the upstream vendor)
* Social engineering of Auora employees
* Denial-of-service attacks against our public infrastructure (please don't)
* Issues already reported by another researcher or already fixed

## Reward tiers (indicative)

| Severity | Description                                                     | Reward          |
| -------- | --------------------------------------------------------------- | --------------- |
| Critical | Direct theft of user funds, oracle bypass, settlement forgery   | Up to \$250,000 |
| High     | Permanent freezing of user funds, round resolution manipulation | Up to \$50,000  |
| Medium   | Temporary DoS of round settlement, info leak of in-window picks | Up to \$10,000  |
| Low      | Hardening recommendations, minor info disclosure                | Up to \$1,500   |

Final reward amounts are determined based on severity, exploitability, and quality of report.

## How to report

Email **[dev@auora.gg](mailto:dev@auora.gg)** with:

1. A clear description of the vulnerability
2. Steps to reproduce
3. Impact assessment
4. Any proof-of-concept code (optional but appreciated)

Please **do not** publicly disclose the vulnerability until we have confirmed a fix. We commit to acknowledging your report within 24 hours and providing a substantive response within 5 business days.

## Safe harbor

Good-faith security research conducted under this program will not result in legal action from Auora. Specifically, we will not pursue civil action or notify law enforcement for accidental, good-faith violations of this policy. We consider activities consistent with this policy to be authorized testing.