The bug bounty for busy,
high-performance teams
It takes 2 minutes to get the top bug bounty hunters and security experts working for you 24/7, allowing your team to focus on your customers
What does the ideal bug bounty program look like?
Designed to allow your team to focus on building instead of disproving
A 250 USDC deposit is required to make a submission
experts
Triage and review by a security expert who knows your codebase
Many of the best security experts spend most of their time on Sherlock
Your program is pre-filled and takes 2 minutes to set up
You only pay when a valid, reputation-saving submission is made
What is a
Bug Bounty?
A bug bounty is an offer made by a protocol team to pay a specific amount to a person who responsibly discloses a vulnerability in the team’s codebase.
Bug bounties are usually set up on a live codebase that has funds at risk. When a whitehat submits a vulnerability to a bug bounty program, the protocol team pays the whitehat the stated bounty amount for the bug and the team is then able to either fix or mitigate the bug in their codebase before funds are stolen, protecting their users and reputation.
Critical Bugs are found
on Sherlock
The Sherlock Difference
Sherlock solves common problems with other bug bounty platforms
Problem
Bug bounty programs usually take 3-4 weeks and a lot of work to set up
Solution
Sherlock’s setup is <1 minute and all fields are already filled out
Sherlock did your audit contest, so we know the contracts in scope, the vulnerabilities you care about, and the severity definitions, etc. - you’re ready to go
Problem
Bug bounty companies charge for triaging
Solution
Sherlock’s setup is <1 minute and all fields are already filled out
Because Sherlock requires a deposit to submit bugs in the program, the triaging is either paid for by the ineligible submission or as part of a bounty payout for an eligible submission
Problem
Triaging in bug bounty platforms is usually very poor and wastes the team’s time
Solution
Sherlock’s triaging is free FOREVER
Because Sherlock requires a deposit to submit bugs in the program, the triaging is either paid for by the ineligible submission or as part of a bounty payout for an eligible submission
Problem
Triaging in bug bounty platforms is usually very poor and wastes the team’s time
Solution
Sherlock brings in one of the top performers from your Sherlock audit contest to review submissions
There is likely no one more qualified in the world to triage your submissions than a top performer in your protocol’s Sherlock audit contest
Problem
Triaging is just sorting, you’re still left to diagnose and treat problems on your own
Solution
Sherlock brings in a top performer to your audit contest to actually determine if a submission is legitimate or not and help you fix it
This is possible and free because Sherlock requires submitters to post a deposit with each submission in your program - that deposit compensates the security expert who reviews the bug if it’s determined to be ineligible for payment
Problem
Bug bounty platforms aren’t aligned with you and make most profit on non-Critical submissions
Solution
Sherlock defaults to Critical-only which limits spam and allows your team to focus on your product, not your bug bounty submissions
When you’re on mainnet with funds at risk, Critical submissions are 100x more important than anything that can’t cause a loss/freezing of funds - don’t get lost in dozens of notifications for non-Critical and non-eligible submissions
Problem
Whitehats are incentivized submit spam to bug bounty programs because there is no cost to being wrong
Solution
Sherlock requires a $250 deposit for each submission
Because Sherlock is only focused on Critical submissions, requiring a $250 deposit to potentially earn $100,000 or $1,000,000 is not a huge barrier for serious whitehats who have done the research on their submission
Problem
It’s risky to list a large bug bounty because it can hurt your treasury/runway at any moment
Solution
Sherlock is the only platform in the world that offers bug bounty coverage, meaning Sherlock pays for your lump sum payouts and you just pay Sherlock a monthly fee
Sherlock’s smart contract coverage platform is one of the most trusted in DeFi with a permissionless claims process and it’s great for being able to afford a larger bug bounty ($1,000,000+) than you could otherwise
Problem
Whitehats don’t trust bug bounty programs because payment is uncertain
Solution
By using Sherlock’s bug bounty coverage, whitehats can see the funds on-chain in Sherlock’s smart contract coverage protocol and audit the permissionless claims process themselves
Using Sherlock’s bug bounty coverage will attract more whitehats to your bug bounty program because they can see that the funds are on-chain and the process is fair
How does the setup work?
Setup takes 2 minutes and comprises 4 steps
Once your audit contest with Sherlock is complete, you’ll see an optional step to set up a bug bounty
You’ll see most of the details of your program already filled out, and you can make any edits you want
Then you’ll provide email addresses for the admins of your program
Once the agreement is signed, your bug bounty program goes live!
Trusted by the best teams in crypto
