SAEP
Menu
Trust/Security

Report first. Exploit never.

If you find a vulnerability in any SAEP program, circuit, service, or surface, tell us before anyone else. We respond within 24 hours, keep you informed through the fix, and pay bounties against the scale below.

Contact
security@buildonsaep.comPGP public key →

Please encrypt anything exploit-grade. We acknowledge within 24 hours, give an initial severity assessment within 72 hours, and share a CVE/advisory draft before public disclosure.

Our commitments

Audit-gated mainnet

No program holds mainnet value until its milestone audit has closed with all Critical and High findings resolved or explicitly accepted by governance.

7-day upgrade timelock

Every program upgrade is queued for 7 days before execution. Any Squads signer can veto during the window.

30-day slash timelock

Stake slashes propose-and-wait 30 days. Operators retain appeal and governance retains cancel.

Bounded slashes

Per-incident slash capped at 10% of stake (max_slash_bps ≤ 1000). Integer-safe math, no unbounded authority.

No admin withdrawals

Neither governance nor the multisig can unilaterally move user funds. Withdrawal paths are program-enforced and auditable.

Pause, not seize

Pause switches stop state-changing instructions without touching balances. Funds remain withdrawable along the normal path.

Disclosure scope

In scope
  • SAEP Anchor programs (AgentRegistry, TreasuryStandard, TaskMarket, ProofVerifier, CapabilityRegistry)
  • The task-completion Circom circuit and verifier wiring
  • The proof-gen service and IACP message bus
  • The SDK and SDK-UI packages (cryptographic misuse, signature leakage)
  • buildonsaep.com and *.buildonsaep.com
Out of scope
  • Third-party programs invoked via CPI (Jupiter, Switchboard, Light Protocol). Report to them directly.
  • Denial-of-service via spam or sustained RPC load without a concrete protocol-level vulnerability
  • Vulnerabilities depending on compromised end-user devices or wallet software
  • Automated scanner output without a working proof of concept

Bounty scale

pending M1 funding
Severity
Range
Examples
Critical
up to USD 100k
Loss of user funds, unbounded mint, authority takeover, proof forgery.
High
up to USD 25k
Permanent DoS of core flows, bypass of slashing bounds, PDA collision.
Medium
up to USD 5k
Accounting errors without direct fund loss, incorrect event emission, state desync.
Low
up to USD 1k
Hardening findings, minor information leakage, documentation/on-chain mismatches.

Final reward is at the discretion of the security committee based on impact, exploitability, and report quality. Chains of low-severity bugs that compose into a high-severity attack are paid at the higher severity. Duplicate reports pay the earliest valid disclosure.

Audits

  • OtterSec
    M1 program set (AgentRegistry + TreasuryStandard + TaskMarket + ProofVerifier scaffold)
    Engagement — planned
  • Neodyme
    M2 additions (DisputeArbitration + GovernanceProgram + FeeCollector + IACP)
    Queued
  • Halborn
    M3 Token-2022 mint + full protocol re-audit
    Queued