The Sunflower team and community take all security bugs in the game seriously. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.
Bugs in the Sunflower Land repository are in scope. Bugs in third-party dependencies e.g., React, Typescript, XState etc. are not in scope unless they result in a Sunflower Land specific bug.
Only bugs that have a demonstrable security impact on the smart contracts, tokens or inventory items that can be affected are in scope.
For example, a vulnerability in the game that lets you bypass the game's server verification and mint free tokens or items is a vulnerability.
As a general rule, only the latest release gets security updates.
To report a vulnerability, please get in contact with one of the engineers in the #devs-chat
in Discord.
In the bug report, please include all details necessary to reproduce the vulnerability such as:
- Input program that triggers the bug
- Browser version
- Operating system
Please include steps to reproduce the bug you have found in as much detail as possible.
Once we have received your bug report, we will try to reproduce it and provide a more detailed response. Once the reported bug has been successfully reproduced, the Sunflower team will work on a fix.
We are an open source project and don' always have the resources to answer straight away. We are extremely appreciative that you are helping us make this game truly awesome!
There is no official bounty program set up due to the lack of funds and open source nature of the project.
Developers and key contributors are often whitelisted in upcoming features and airdrops for NFTs and items. Finding a vulnerability would make you a key contributor and open to these rewards