Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Bug Bounty

Mirage welcomes responsible disclosure of security and privacy vulnerabilities affecting released versions of Azoth, Nomad, and production Mirage network components.

We reward real, exploitable issues that impact user funds, privacy guarantees, transaction integrity, or system availability in production-released software.

We do not provide rewards for theoretical concerns, non-exploitable best-practice suggestions, or findings limited to unreleased code, development branches, or non-production environments.

Rewards are determined based on severity, exploitability, and impact according to the ranges below. Final awards remain at Mirage's discretion.

Reward ranges

  • Critical: up to $25,000
  • High: $3,000 - $10,000
  • Medium: $500 - $3,000
  • Low: up to $500
  • Informational, nits, non-exploitable issues, or low-value findings: no reward

The $25,000 maximum is reserved for rare vulnerabilities that are highly probable to exploit, easy to abuse, scalable at mass, and capable of causing substantial compromise across many users, systems, or assets.

In scope

  • Azoth, released versions only
  • Nomad, released versions only

Out of scope

  • Unreleased features
  • Branches, pull requests, historical commits, or source-only findings not present in a released version
  • Test, staging, demo, preview, or sandbox environments
  • Third-party infrastructure or services not directly exploitable through a released Azoth or Nomad deployment
  • Scanner-only findings without a demonstrated exploit path
  • Best-practice gaps without concrete security impact
  • Findings requiring unrealistic assumptions or improbable user interaction
  • Social engineering, phishing, physical access attacks, or credential stuffing
  • Denial of service with limited practical impact
  • Duplicate reports or previously known issues

To be considered, reports must include

  • Affected product and released version
  • Clear reproduction steps
  • Proof of concept
  • Realistic impact assessment
  • Any assumptions or prerequisites

Safe Harbor

If you act in good faith, comply with this policy, avoid privacy violations and service disruption, and report findings promptly, Mirage will not pursue legal action against your security research.

This includes bypassing controls solely as necessary to demonstrate a vulnerability.

Please avoid accessing, modifying, or retaining user data beyond what is required for proof.

Response Timeline

We aim to:

  • acknowledge reports within 24 hours
  • provide an initial triage decision within 5 business days
  • issue bounty decisions within 14 business days after validation
  • coordinate disclosure timelines with researchers

Payout Terms

Rewards are paid within 14 days of issue validation and bounty acceptance. Payouts may be made in USDC, USD wire, or another mutually agreed method.

Submission

Send reports to whisper@mirageprivacy.com.

We are also happy to offer grants to researchers to analyze the Mirage network and Azoth's effectiveness; please check Researcher Grants for that.