Bug Bounty Program

Kerne Labs ("Kerne Protocol," "we," "us," or "our") is committed to the security of our smart contracts, infrastructure, and users. We welcome responsible security researchers to help identify and report potential vulnerabilities in our protocol.

Kerne Labs may, at its sole discretion, offer rewards to individuals who report valid, previously unknown vulnerabilities in accordance with this policy.

This policy does not create any contractual obligation, employment relationship, or guarantee of compensation. Participation in this program is voluntary and at the researcher's own risk and expense.

1. Scope

Smart Contracts

The following contracts deployed on Base (Chain ID 8453) are in scope. Only the deployed versions of these contracts are eligible for consideration:

• KerneVault
• kUSD
• KUSDPSM
• KerneToken
• KerneStaking
• KerneInsuranceFund
• KerneTreasury
• KerneFlashArbBot
• esKERNE
• KerneReferral
• KerneYieldDistributor
• KerneYieldOracle

Web Applications

The kerne.fi and app.kerne.fi web interfaces are in scope, but only for vulnerabilities that could directly result in loss of user funds or compromise of the protocol's integrity.

2. Severity Classification

Reported vulnerabilities are assessed based on their potential impact and exploitability. The following classifications serve as general guidance:

Critical

Vulnerabilities that could lead to direct loss or theft of user funds, permanent freezing of funds, or protocol insolvency. Examples include unauthorized token minting, bypassing withdrawal restrictions, or oracle manipulation leading to fund extraction.

High

Vulnerabilities that could lead to temporary freezing of funds, significant governance manipulation, or compromise of protocol access controls. Examples include privilege escalation or yield calculation errors leading to material loss.

Medium

Vulnerabilities that could lead to griefing attacks, minor yield leakage, or degradation of protocol functionality without direct fund loss. Examples include denial of service to specific functions or minor accounting errors.

Low

Vulnerabilities with minimal impact, informational findings, or best-practice deviations. Examples include gas optimization issues, non-critical view function errors, or events not emitted correctly.

3. Rewards

Rewards for valid vulnerability reports are granted at the sole discretion of Kerne Labs. Reward amounts, if any, are determined on a case-by-case basis considering:

• The severity and potential impact of the vulnerability.
• The quality and completeness of the report.
• The potential impact on user funds and protocol operations.
• The exploitability of the vulnerability under realistic conditions.

We aim to provide rewards commensurate with the severity and impact of the reported vulnerability. Critical vulnerabilities that pose an imminent threat to user funds will be prioritized for the highest consideration.

Kerne Labs reserves the right to determine whether a reported issue qualifies for a reward and to determine the appropriate reward amount. All reward decisions are final and not subject to appeal.

This program does not constitute an offer, contract, or guarantee of payment. Submission of a report does not entitle the reporter to any compensation.

Rewards, if granted, may be paid in USDC, ETH, or other digital assets at the discretion of Kerne Labs. Reporters are solely responsible for any tax obligations arising from rewards received.

4. Eligibility

To be eligible for consideration under this program, you must:

• Be the first person to report the vulnerability to Kerne Labs.
• Not exploit the vulnerability beyond what is strictly necessary to demonstrate it (proof of concept only).
• Not violate the privacy of other users, disrupt the protocol's operation, or destroy data.
• Not be subject to sanctions or reside in a jurisdiction prohibited under our Terms of Service.
• Not be a current or former employee or contractor of Kerne Labs.
• Comply with all applicable laws and regulations in your jurisdiction.
• Comply with the responsible disclosure requirements outlined in this policy.

5. Reporting Process

To submit a vulnerability report, please email us at kerne.systems@protonmail.com with the subject line "Security Report: [Brief Description]." Your report should include:

• A clear description of the vulnerability.
• The affected contract(s) or component(s).
• Step-by-step reproduction instructions.
• A proof of concept (code, transaction hash, or screenshots).
• Your assessment of the severity and potential impact.
• Your wallet address for potential reward payment (optional at time of report).

We will acknowledge receipt within 48 hours and provide an initial assessment within 7 business days. Response times are targets, not guarantees, and may vary based on report volume and complexity.

Do not open public GitHub issues for security vulnerabilities.

6. Responsible Disclosure

We ask that you give us a reasonable amount of time to address the vulnerability before disclosing it publicly, a minimum of 90 days from the initial report, or until a fix has been deployed, whichever comes first.

You must not disclose the vulnerability to any third party before it has been resolved, unless mutually agreed upon in writing. Public disclosure after remediation should be coordinated with the Kerne team.

7. Safe Harbor

Kerne Labs will not pursue legal action against security researchers who act in good faith and in compliance with this policy. "Good faith" means:

• Making a genuine effort to avoid privacy violations, data destruction, and service disruption.
• Only interacting with accounts you own or with explicit permission.
• Not exploiting a vulnerability beyond what is necessary for a proof of concept.
• Reporting the vulnerability promptly.

This safe harbor does not extend to violations of applicable law, activity that causes material harm to users or the protocol, or actions taken outside the scope of this policy.

8. Out of Scope

The following are not eligible for consideration under this program:

• Vulnerabilities in third-party contracts, protocols, or services that Kerne integrates with (e.g., Aave, Uniswap, Chainlink).
• Issues already known to the team or previously reported by another researcher.
• Vulnerabilities in contracts deployed on networks other than Base (Chain ID 8453), unless specifically designated.
• Frontend bugs that do not result in loss of funds or compromise of the protocol (cosmetic issues, typos, broken links, etc.).
• Theoretical vulnerabilities without a working proof of concept.
• Issues related to unsupported browsers or outdated software.

9. Exclusions

The following activities are explicitly excluded from this program and may result in disqualification and/or legal action:

• Social engineering (phishing, vishing, etc.) targeting Kerne team members or users.
• Denial-of-service (DoS/DDoS) attacks against Kerne infrastructure.
• Physical attacks against Kerne facilities or team members.
• Automated vulnerability scanning that generates excessive traffic.
• Attacks against Kerne's internal infrastructure (email, CI/CD, cloud services).
• Any activity that could cause harm to users, including front-running, sandwich attacks, or exploiting the vulnerability on mainnet for personal gain.

10. Limitation of Liability

To the maximum extent permitted by applicable law:

Kerne Labs shall not be liable for any damages arising from participation in this program, including but not limited to any costs or expenses incurred in identifying or reporting vulnerabilities. Kerne Labs makes no representations or warranties regarding the availability, continuity, or terms of this program.

11. Changes to This Policy

Kerne Labs reserves the right to modify, suspend, or terminate this program at any time without notice. Changes are effective immediately upon posting to this page. Your continued participation in the program after any modifications constitutes your acceptance of the revised policy.

12. Contact Information

For security reports or questions about this program, please contact us: