Rules of Conduct
The standards every participant agrees to when using CertiK Hunt.
#Introduction
CertiK Hunt is built to create a fair, transparent, and collaborative environment for security researchers and project teams. These Rules of Conduct establish the standards expected of all participants using the platform.
By creating an account, participating in a bug bounty program, or submitting findings through CertiK Hunt, you agree to comply with these Rules of Conduct.
#1. Participate Responsibly
CertiK Hunt is intended to support constructive collaboration between security researchers and project teams.
Researchers are expected to participate honestly, professionally, and in good faith when conducting security research, submitting findings, communicating with project teams, and engaging with the CertiK Hunt platform.
Researchers should cooperate with reasonable requests for clarification, additional evidence, or validation during the review process and provide information that is accurate to the best of their knowledge.
#2. Follow Program Scope and Requirements
Each bug bounty program may define its own scope, eligibility requirements, testing restrictions, reward structure, and disclosure expectations.
Researchers are responsible for reviewing and complying with the requirements of each program before conducting testing or submitting reports.
Activities involving assets, systems, applications, smart contracts, infrastructure, or environments that are explicitly identified as out of scope may not be eligible for rewards and may result in report rejection.
#3. Protect Users, Assets, and Systems
Researchers must make reasonable efforts to avoid actions that could negatively impact users, project teams, or third parties.
Unless explicitly authorized by the applicable program, researchers should not:
- Access, modify, retain, or disclose sensitive information beyond what is reasonably necessary to demonstrate a vulnerability.
- Transfer, withdraw, destroy, lock, or otherwise interfere with digital assets belonging to other parties.
- Intentionally disrupt services, degrade availability, or impair normal system operations.
- Conduct phishing, impersonation, social engineering, physical intrusion, or other non-technical attacks.
- Use vulnerabilities for personal gain, market manipulation, unauthorized trading, or any activity unrelated to responsible disclosure.
#4. Submit Accurate and Actionable Reports
To facilitate effective triage and remediation, researchers should submit reports that clearly describe:
- The affected asset or component.
- The nature of the vulnerability.
- Steps required to reproduce the issue.
- The potential impact of the vulnerability.
- Supporting evidence, proof of concept, or other materials reasonably necessary for validation.
Researchers should make a good-faith effort to ensure that submitted information is accurate and complete.
Knowingly submitting false, misleading, fabricated, or intentionally exaggerated reports is prohibited.
#5. Follow Responsible Publication Requirements
Researchers must comply with the Responsible Publication Policy applicable to the bug bounty program in which they participate.
Each program may define its own publication, disclosure, embargo, or coordination requirements. Researchers are responsible for reviewing and complying with the Responsible Publication Policy published by the project before disclosing information related to a reported vulnerability.
Unless expressly permitted under the applicable Responsible Publication Policy, researchers should not publicly disclose information regarding unresolved vulnerabilities, confidential project information, or details that could reasonably increase risk to users or project ecosystems.
#6. Communicate Professionally
Researchers are expected to interact professionally and respectfully with project teams, CertiK personnel, and other platform participants.
The following conduct is prohibited:
- Harassment, discrimination, abuse, or threatening behavior.
- Attempts to pressure, intimidate, or coerce project teams or CertiK personnel.
- Demands for payment outside of established program processes.
- Misrepresentation of findings, severity, impact, identity, or qualifications.
- Any conduct intended to undermine the integrity of the platform or the bug bounty process.
Disagreements regarding vulnerability validity, severity classification, reward outcomes, or other program decisions may occur. Researchers are expected to address such disagreements professionally and through the platform's established review and appeals processes, where applicable.
#7. Respect the Integrity of the Platform
Researchers may not engage in activities intended to manipulate, abuse, or circumvent the operation of CertiK Hunt.
Examples include:
- Creating fraudulent or misleading accounts.
- Circumventing platform controls or restrictions.
- Submitting reports on behalf of another individual without authorization.
- Attempting to manipulate reputation systems, rankings, rewards, or platform processes.
- Engaging in coordinated abuse, spam, or other activities that negatively impact platform operations.
#8. Enforcement
CertiK reserves the right to investigate potential violations of these Rules of Conduct.
Where CertiK determines that a participant has violated these Rules, applicable program requirements, or otherwise acted in bad faith, CertiK may take appropriate action, including:
- Rejecting or disqualifying submissions.
- Restricting access to specific programs or platform features.
- Suspending or terminating platform accounts.
- Removing content or reports.
- Taking any other action reasonably necessary to protect the integrity of the platform, participating projects, researchers, or users.
CertiK may exercise these measures at its discretion and in accordance with applicable law and platform policies.
#Updates
CertiK may update these Rules of Conduct from time to time. Continued use of CertiK Hunt following any update constitutes acceptance of the revised Rules.