Jump to content

The Sandbox Bug Bounty Program




Discover unknown bugs, get rewarded! Let’s keep the Sandbox metaverse secured.


The Sandbox is launching a new program to ensure our ecosystem is as safe as it can be. The Bug bounty program will launch on July 5th, 2022. Read on to learn how you can submit a bug detected on one of our smart contracts.


  • The Sandbox Bug Bounty Program is launching on July 5th, 2022.
  • You can report bugs and be rewarded on the Immunefi platform: https://immunefi.com/bounty/thesandbox/.
  • Rewards are based on the severity of the bug detected.


When building an ecosystem as complex as The Sandbox, having safe and secure tokens is always of the utmost importance.

The Sandbox has been investing a lot of time and money to audit and secure our smart contracts. As of early 2022 we have doubled our efforts and are now conducting two different audits ran by two separate companies on our smart contracts before they go live.

On top of that, we now want to involve our community in the process and reward them accordingly for their dedication.

The bounty program consists in involving the community and rewarding them for reporting bugs on our smart contracts already in production.

How do I submit a bug?

If you’ve found a bug, you can submit it on the Immunefi platform: https://immunefi.com/bounty/thesandbox/. Upon submission, the team will investigate the bug, try to replicate it. If it is attested that it is an unknown bug, the team will issue you your rewards. The amount awarded will be distributed according to the severity level and based on the Immunefi Vulnerability Severity Classification System V2.2.

How do I know if my bug is eligible to claim my rewards?

When submitting a bug report, it will be time-stamped on the blockchain and only the first valid submission will be rewarded.

Bug reports covering previously-discovered bugs (audits, or specified in the Immunefi bounty page) are not eligible for the program. Meaning that if two or more people submit the same bug, only the first person to report it will be eligible to claim its rewards. Any bug already specified on the bounty page will also not be eligible for rewards.

All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward.

You will be required to complete a KYC mechanism to claim the rewards (paid in SAND).

All the detailed rules are available on the Immunefi page: https://immunefi.com/bounty/thesandbox/

What are the rewards ?

The rewards are offered depending on the severity of the bug reported. There are four levels of bugs that can be reported: low, medium, high and critical.

  • Critical Up to 200,000 USD (paid in SAND)
  • High Up to 20,000 USD (paid in SAND)
  • Medium 2,000 USD (paid in SAND)
  • Low 1,000 USD (paid in SAND)

Let’s continue to strive for a safer and more secure ecosystem for our community.


The Sandbox Bug Bounty Program was originally published in The Sandbox on Medium, where people are continuing the conversation by highlighting and responding to this story.

View the full article



Recommended Comments

There are no comments to display.

  • Create New...