For researchers

Submit once. CertiK verifies.
You get paid what the bug is worth.

Join the private network, submit a reproducible finding, and get a tracked, fair reward decision after CertiK verifies it.

Backed by CertiK: 5,181 projects secured, $500B+ assessed since 2018.

Reproducible reports stay private to the author and authorized CertiK triagers.
report lifecycle

The report lifecycle

submit · private report
TitleReentrancy in withdraw() drains vault
SeverityCritical
Affected assetVaultV2.sol · 0x6b…a91c
Proof of concept
function testWithdrawDrain() public { attacker.reenter(address(vault)); assertLt(vault.balance(), beforeBalance);}
Attachmentexploit-poc.ts
Submit report
01

Submit

A vetted researcher opens a live program from their workspace and submits a reproducible finding with a clear title, severity, affected asset, and a proof-of-concept.

triage · certik review
Reproducing PoCdone
Severity ratingdone
Scope checkpending
Coordinating with protocolpending
Independent reproduction. Not the protocol.
02

Triage

A CertiK expert reproduces the PoC, checks duplicates, and sets severity independently of the protocol. CertiK runs triage and payouts; status updates land in your dashboard.

decision · accepted
SeverityCritical
Rationale
impact: attacker drains vault balanceduplicate: none · scope: eligible
Researcher statusNotified
RewardPayout queued $50,000
Clear rationale on every report.
03

Decision

Accepted, duplicate, or out-of-scope decisions are recorded with clear rationale so manual decisions stay documented.

payout · resolved
reward$50,000
SeverityCritical
StatusResolved
Public disclosureCoordinated
Coordinated disclosure — terms set per program.
04

Payout and disclosure

Programs publish reward ranges and payout handling terms before launch. CertiK records accepted, resolved, and paid states after human confirmation.

faq

FAQ

Ready when you are

Request my invite and we'll follow up by email.