# Torches bug bounty
---
#### Vulnerability Severity
| **Impact** | Likelihood | Severity |
| ---------- | ---------- | -------- |
| High | High | Critical |
| High | Medium | Severe |
| High | Low | Moderate |
| Medium | High | Severe |
| Medium | Medium | Moderate |
| Medium | Low | Low |
| Low | High | Moderate |
| Low | Medium | Low |
*Likelihood*: Likelihood represents the possibility that a particular vulnerability is discovered and exploited.
*Impact*: Impact measures the loss caused by an attack using this vulnerability.
*Severity*: Severity indicates the magnitude of the vulnerability.
Likelihood and impact are divided into three levels: high, medium and low.
Severity is decided by likelihood and impact with four levels: critical, severe, moderate and low.
---
#### Reward Range
| **Technical severity** | Reward range |
| ---------------------- | ----------------- |
| P1 - Critical | $ 1,000 or above |
| P2 - Severe | $ 500 - $ 1,000 |
| P3 - Moderate | $ 200 - $ 500 |
| P4 - Low | $ 100 - $ 200 |
---
#### Vulnerability Classifications
#### In Scope:
:information_source: https://github.com/TorchesFinance/torches-protocol
##### P1 (Critical):
**Vulnerabilities that could undermine the fund safety of any user or business runner, including:**
1. Vulnerabilities that could undermine the safety of any user's fund/fee.
2. Vulnerabilities that could severely undermine trading or token economy.
3. Vulnerabilities that could disrupt the governance of protocol.
##### P2 (Severe):
**Vulnerabilities with similar impact as P1 vulnerabilities, but are dependent on specific prerequisites, including:**
1. Vulnerabilities that could undermine or disrupt trading or token economy.
2. Vulnerabilities that could disrupt the oracle price feed service.
3. Vulnerabilities that could cause user can not redeem their funds and rewards.
##### P3 (Moderate):
**Denial of service of critical functions, including:**
1. Denial of service of nodes.
##### P4 (Low):
**Client and UI bugs, including:**
1. Web garbled.
2. Failure to load a web page.
3. Some functions cannot be used.
---
- **Speculation without any evidence. Including but not limited to:**
1. Theoretical vulnerabilities.
2. Use of known vulnerable libraries without actual proof of concept.
- **Phishing (E.g. HTTP Basic Authentication Phishing).**
- **Internally known issues, duplicate issues, or issues which have already been made public.**
Sign in with Wallet
Connect another wallet