MOONSALE
a product of IGH

Bug Bounty Program

Help us keep MoonSale secure for everyone. If you discover a vulnerability in our smart contracts, frontend, or APIs, report it responsibly and get rewarded.

MoonSale smart contracts have been audited with a 96/100 security score. This program covers any vulnerabilities not caught during audit and ongoing security improvements as new features ship.

Reward Tiers

Critical
Funds at risk or system compromise
$500 USDT
  • Smart contract exploit allowing fund drainage
  • Unauthorized withdrawal or transfer of user funds
  • Complete authentication bypass granting admin access
High
Significant security or data exposure
$100 USDT
  • Privilege escalation on presale contracts
  • Data exposure of sensitive user information
  • Logic flaw allowing presale manipulation
Medium
Limited impact bugs with clear exploit path
$25 USDT
  • Incorrect on-chain state causing wrong UI behavior
  • API endpoint returning unintended data
  • Minor contract logic bug with limited impact
Low
No security impact, informational
XP + Public Credit
  • UI/UX bugs with no security impact
  • Typos or incorrect information in docs
  • Cosmetic frontend issues

Scope

In Scope
  • BSC mainnet smart contracts (Presale Factory, Fair Launch Factory, Lottery, Escrow)
  • Base mainnet smart contracts (same suite)
  • MoonSale frontend at moonsale.app
  • Public API endpoints (api routes)
  • Affiliate and XP reward logic
Out of Scope
  • Third-party infrastructure (Render, Cloudflare, CDN providers)
  • Database or server-level vulnerabilities outside our control
  • Bugs already reported or known issues
  • Theoretical attacks with no proof of concept
  • Spam, rate-limiting, or DoS attacks
  • Social engineering or phishing attacks
  • Issues in testnet contracts only

Program Rules

Responsible Disclosure

Report vulnerabilities privately before any public disclosure. Give us reasonable time to patch (up to 14 days for critical issues) before sharing with anyone.

No Exploitation

Do not exploit the vulnerability beyond what is necessary to demonstrate the impact. Do not access, modify, or delete data that is not your own.

Proof of Concept

Include clear reproduction steps, the impact you believe it has, and any relevant transaction hashes, screenshots, or code snippets.

One Report Per Issue

Submit each unique vulnerability as a separate report. Duplicate reports for the same underlying issue will only receive one reward.

Good Faith

Act in good faith toward MoonSale users and the community. Reports made in bad faith or used for extortion will be disqualified.

Rewards at Our Discretion

Final severity classification and reward amounts are determined by the MoonSale team based on actual impact and quality of the report.

How to Submit

1

Reproduce the vulnerability and document the exact steps.

2

Assess the impact: what can an attacker do, and who is affected?

3

Prepare a clear write-up with steps, impact, and any supporting evidence (tx hash, screenshots, PoC code).

4

Fill out the report form using the button below. Do not post publicly.

5

Our team will acknowledge within 48 hours and investigate. We will notify you when patched and process your reward.

MoonSale reserves the right to modify or discontinue this program at any time. Rewards are paid in USDT on BSC. Participation in this program constitutes acceptance of these rules.