DOCUMENTATION

Docs/Security/Bug Bounty Program Charter v1.0

Bug Bounty Program Charter v1.0

Last updated: June 2026 | Public Release v1.0

ANCORA Vulnerability Disclosure & Reward Program

1. Program Overview

The ANCORA Bug Bounty Program rewards independent security researchers for responsibly disclosing vulnerabilities in the ANCORA protocol, clients, and infrastructure. The program is designed to incentivize high-quality security research while protecting network users.

Total program reward pool: $10,000,000 USD equivalent in ANC.

2. Scope

Eligible targets for the bounty program include:

ANCORA core protocol client implementation

Consensus algorithm and cryptography

MPC wallet and key management system

Smart contract system

Zero-knowledge proof circuits

Peer-to-peer network layer

Governance system

DID identity system

Out of Scope: Third-party services, wallets, exchanges, applications built on top of ANCORA.

3. Vulnerability Severity Classification & Rewards

Reward amounts are determined based on exploit complexity, impact severity, and quality of disclosure.

4. Responsible Disclosure Policy

4.1 Disclosure Requirements

All researchers must:

Provide detailed vulnerability description with proof of concept

Allow 90 days for remediation before public disclosure

Not exploit the vulnerability for personal gain

Not disclose the vulnerability to any third parties before remediation

Not access or modify user data or funds

4.2 Safe Harbor

Any researcher acting in accordance with this policy will not face legal action or law enforcement referral from the ANCORA project. We commit to working with researchers in good faith to resolve all reported issues.

5. Submission Process

Submit vulnerability report to security@ancora.network with full technical details

Include proof of concept code and reproduction steps

Receive acknowledgment within 48 hours

Security team validates and triages vulnerability

Remediation developed and deployed

Reward paid upon successful remediation and verification

Public disclosure after 90 day embargo period

6. Program Rules

Multiple reporters for the same vulnerability: reward split equally among first reporters

No reward for vulnerabilities already known or publicly disclosed

No reward for vulnerabilities caused by third-party dependencies outside our control

The program may be modified or terminated at any time

All reward decisions are final and at the sole discretion of the security team