In its commitment to secure the metaverse, the virtual gaming metaverse, The Sandbox, has announced the continuation of its Bug Bounty Program with earnings for participating users.
The program requires users to report bugs found when using the game’s blockchain ecosystem. Participants have the opportunity to earn up to $200,000 in $SAND.
— The Sandbox (@TheSandboxGame) October 2, 2022
How to Participate in the Bug Bounty Program
Participants in the program must complete the KYC requirements for the program when submitting a report to earn a reward. They must submit an ID photo with a scanned copy of a utility bill reflecting residency proof.
Bug bounty hunters must submit bug reports with a PoC with end-effects affecting an asset-in-scope to qualify for a reward. According to the Sandbox, statements and explanations are not eligible as PoC. Bug bounty hunters must also include the code while submitting bug reports.
Highlights of the Rewards for the Bug Bounty Program
The game metaverse will distribute rewards based on the severity of the vulnerability as classified by the Immunefi Vulnerability Severity Classification System V2.2. The game platform mentioned it capped the rewards for vulnerabilities associated with a critical smart contract at 10% of economic damage.
According to the game metaverse, the minimum reward in the program is $50,000, while the maximum is $200,000. Where there are repeatable attackers, the bug bounty hunter will only receive a reward for the first attack, except the smart contract is not upgradeable.
The Sandbox also mentioned it capped high severity smart contract vulnerabilities at up to 100%. Where there is temporary freezing, the platform will double the reward for each additional five blocks for temporarily frozen funds and round it down to the closest multiple of five up to the hard cap of $20,000.
Who is not eligible for the Bug Bounty Program Rewards?
The Sandbox’s team members are not eligible for rewards when they report bugs. Team members and employees of third-party suppliers of core units operating in a technical capacity with assets covered in the bug bounty program are also not eligible for rewards.
Additionally, Sandbox’s audit companies, their team members, and third-party suppliers are not eligible to earn rewards.
Other third-party suppliers not working with the platform’s Core Unit but possessing assets categorized as critical infrastructure under the bug bounty program are also considered ineligible. Previously discovered and reported bugs are also ineligible for this program.