Overview

Somm's mission is to provide secure, transparent, and high‑performance DeFi automation. To reinforce that commitment we have launched a self‑hosted bug bounty program covering the core Somm smart‑contract stack and supporting infrastructure. We invite security researchers to find, responsibly disclose, and help us remediate vulnerabilities. Rewards of up to USD 50 000 are available, commensurate with the impact and likelihood of each finding.

Scope

Only commits and contract addresses published by the PeggyJV organisation or displayed on the audits page are in scope. Dependencies (e.g., OpenZeppelin) are considered in‑scope only insofar as their use inside our code introduces a vulnerability.

Rules & Eligibility

1. Responsible disclosure only. Give us a chance to remediate before any public release.
2. Exploitation beyond the minimal proof‑of‑concept is strictly prohibited.
3. Do not perform on‑chain attacks that put real user funds at risk. Use testnets or simulations.
4. Keep all testing within accounts/contracts you control.
5. No front‑running, phishing, social engineering, or denial‑of‑service attacks.

Out‑of‑Scope

• Vulnerabilities in third‑party projects that do not affect Somm's integrations
• Low‑impact UI/UX bugs
• Best‑practice suggestions without a concrete security impact
• Issues already reported or known to the team

Reporting Process

1. Email bounty@peggy.cool with the subject [BUG BOUNTY].
2. Include:
   • Title & short description
   • Affected component / contract address or commit hash
   • Reproduction steps or PoC (scripts, test cases, or tx hashes)
   • Impact assessment and suggested severity
3. Encrypt your report with our PGP key (available on the audits page) if desired.

Response SLA: We acknowledge all reports within 24 hours and aim to provide an initial assessment within 5 working days. Once a fix or mitigation has been deployed and any user risk eliminated, you may coordinate public disclosure with our team.