Skip to main content

Moonlet Public Bug Bounty Program

Overview

Moonlet is committed to maintaining the highest security standards across its infrastructure, applications, and services. This Public Bug Bounty Program is designed to encourage responsible disclosure of security vulnerabilities and to reward researchers who help us improve the security of our systems.

This program complements our formal security and compliance efforts, including ISO 27001, SOC 2 Type I, and SOC 2 Type II, as well as regular external audits and penetration testing.

Scope

The bug bounty program applies to the following Moonlet systems and services:

  • Validator and node infrastructure
  • Public and private RPC services
  • Staking dashboards and APIs
  • Analytics and monitoring tooling
  • Backend services supporting Moonlet products

Smart contracts and protocol-level components may be included only if explicitly stated in scope or announced separately.

Out of Scope

The following are considered out of scope:

  • Issues in third-party services or dependencies not operated by Moonlet
  • Social engineering attacks
  • Physical attacks or threats
  • Denial-of-service attacks without demonstrated impact
  • Vulnerabilities already known or previously reported

Severity Levels & Rewards

Rewards are determined based on severity, impact, and exploitability. The final reward amount is at Moonlet’s discretion.

  • Critical: Vulnerabilities leading to fund loss, key compromise, validator slashing, or full infrastructure takeover
  • High: Authentication bypass, significant data exposure, or privilege escalation
  • Medium: Limited denial-of-service, partial access escalation, or misconfigurations with moderate impact
  • Low: Minor issues, non-exploitable bugs, or best-practice recommendations

Rewards may be paid in fiat or cryptocurrency and are evaluated on a case-by-case basis.

Responsible Disclosure Guidelines

We ask all participants to follow responsible disclosure practices:

  • Do not exploit vulnerabilities beyond proof-of-concept
  • Do not disclose vulnerabilities publicly before a fix is deployed
  • Avoid accessing or modifying user data
  • Report issues as soon as they are discovered

Moonlet commits to acknowledging reports promptly and working toward timely remediation.

Reporting a Vulnerability

Security vulnerabilities can be reported via:

Encrypted communication can be arranged upon request.

Please include the following in your report:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Proof-of-concept (if applicable)

Moonlet will not pursue legal action against researchers who:

  • Follow the rules of this program
  • Act in good faith
  • Avoid privacy violations, data destruction, and service disruption

Updates & Changes

Moonlet reserves the right to update this Bug Bounty Program at any time. Any changes will be published on our official website.

Contact

For questions related to this program, please contact:

security@moonlet.io

Last updated: Oct 2025