Security is vital to Audius' mission. We work hard to ensure that data is always safe. Our Privacy policy and Terms of Use describe our data-use practices, and we encourage third-parties to explore our Codebases and respectfully disclose vulnerabilities & issues.

Bug Bounty Policy

We generally adhere to disclosure guidelines from HackerOne and Immunefi

Disclosure process

  1. Safely disclose issue and applicable proof-of-concept or steps for reproduction to
  2. We determine severity of issue together, following informal CVSS guidelines (example), producing classification (low, medium, high, critical)
  3. Bounty is paid out
  4. Fix is produced, rolled out, and reporter can disclose issue publicly
  5. We produce & publish documentation of issue


Smart Contracts (Ethereum, Solana)

  • "Critical" - Please Contact Our Team
  • "High" - $20,000+
  • "Medium" - $5,000
  • "Low" - $0 - $1,000

Websites & Apps

  • "Critical" - $5,000
  • "High" - $2,000
  • "Medium" - $500
  • "Low" - $0 - $100

Smart Contract Assets

Not eligible for reward

  • Third-party applications that use Audius APIs
  • XSS requiring legacy browsers
  • Self-XSS
  • SSL/TLS best practices
  • Missing HTTP header which does not lead to a direct vulnerability
  • Missing cookie flags, unless the absence can be abused by a legitimate workflow
  • Clickjacking without demonstration of impact
  • Account enumeration through brute-force attacks
  • CSV command execution
  • Best practice recommendations with no proof-of-concept
  • Token reuse, password poisoning, or account revocation with regard to the documented security considerations in Hedgehog
  • Any denial of service attacks

Other Concerns

All other security concerns should be directed at