Bug Bounty Program
Help us keep Venice secure. We reward security researchers who responsibly disclose vulnerabilities in our products.
How the Program Works
Our bug bounty program provides a structured way for security researchers to report vulnerabilities and earn rewards.
Discover
Find a security vulnerability in a Venice product within scope.
Document
Create a detailed report with proof of concept and reproduction steps.
Report
Submit your findings through our secure reporting form.
Reward
Eligible bounty rewards are paid in VVV and/or USDC at Venice's discretion.
Rewards
Eligible bounty rewards are paid in VVV and/or USDC at Venice's discretion. Reward amounts below are denominated in VVV; Venice may pay an equivalent amount in USDC. Rewards are based on demonstrated impact, exploitability, novelty, reproducibility, and report quality.
Minor but real security issues with clear reproduction, such as limited information disclosure or low-risk configuration gaps with demonstrated impact.
Contained vulnerabilities with demonstrated impact, such as limited stored XSS, narrow authorization gaps, or abuse paths affecting a small set of users.
Significant vulnerabilities affecting account security, authorization boundaries, billing integrity, or user data.
Severe, novel vulnerabilities with broad user impact, such as authentication bypass, remote code execution, sensitive data exposure at scale, or VVV smart contract compromise.
Program Scope
Please review what is and is not covered by this program before submitting.
In Scope
- Venice web application (venice.ai)
- Venice API (api.venice.ai)
- Venice Android app, iOS app, and official APK
- Authentication and session management
- Payment and billing flows
- User data handling and privacy controls
- Chat and conversation encryption
Out of Scope
- Social engineering or phishing attacks
- Denial-of-service (DoS/DDoS) attacks
- Third-party or vendor-managed issues unless caused by Venice's integration or configuration
- Issues requiring physical access
- Automated scanning without validation
- Spam, abuse, or reputation reports without a security vulnerability
- Security header, DNS, SPF, DMARC, CAA, or version disclosure reports without demonstrated exploitability or user impact
- Theoretical rate limiting or brute-force reports without demonstrated impact
Report Requirements
All submissions must include a clear proof of concept, exact reproduction steps, and a description of the security impact.
Proof of Concept
Demonstrate actual exploitation with video, screenshots, or exact reproduction steps. Exceptions apply for self-evident issues like certificate problems.
Specific to Our Environment
Show the vulnerability exists in our actual application, not theoretical scenarios. Generic scanner output without validation is not eligible for rewards.
Based on Your Testing
AI-assisted reports are acceptable only if they are personally validated and reproducible. Unverified AI-generated reports will be rejected.
Frequently Asked Questions
Help Keep Venice Secure
Found a vulnerability? Submit your report and help us protect our users. Eligible bounty rewards are paid in VVV and/or USDC at Venice's discretion.