Bug Reporting

Security is fundamental to Altitude. We welcome security researchers and advanced users to examine our systems and responsibly disclose any vulnerabilities you discover. When you help protect our users, we aim to recognise that contribution through public thanks and, where appropriate, a bug bounty reward.

If you believe you’ve found a security issue, please review the guidelines below before submitting a report.

How to Report

Send all reports to [email protected] and include:

• A clear summary of the issue

• Exact affected contracts or components (addresses, repos, commit hashes)

• The exact file path, function name, and line number in the current codebase, include the commit hash you reviewed

• Impact analysis (potential attacker capabilities, affected users, maximum loss)

• A runnable Foundry test. Pseudocode, diagrams, and hypothetical scenarios without execution evidence are not accepted

• Any potential mitigations you recommend

When performing research:

• Do not exploit vulnerabilities on mainnet or production

• Do not access, modify, or exfiltrate other users’ data

• Do not attempt denial-of-service attacks

• Do not engage in social engineering of Altitude team members or users

If unsure, contact us before taking any risky action.

In-Scope Vulnerabilities

We primarily reward findings that could lead to a loss of funds, loss of control, or material risk to Altitude users or the protocol. Some examples;

• Logic errors leading to loss, theft, freezing, or mis-accounting of funds

• Access control failures or privilege escalation

• Unsafe upgrade patterns or incorrect assumptions in integrations

• Issues arising from Altitude’s integration with external protocols where the flaw is in Altitude’s logic or assumptions

When in doubt, report the issue. If it has real security impact, we will triage it.

Out-of-Scope Vulnerabilities

To maintain a high-signal program, the following categories are explicitly out of scope and not eligible for bounty rewards.

• Duplicates of earlier submissions, including reframing or variations of the same underlying behaviour

• Any known issues listed in either the documentation, repository or previous audit reports

• Issues requiring deployment from a non-trusted source

• Typos, documentation, cosmetic UI issues, visual bugs without security impact

• Vulnerabilities that depend on compromising the user before interacting with Altitude

• Issues solely arising from third-party protocol bugs, where Altitude behaves according to the documented interface

• User-error scenarios involving misuse of contract interfaces

• Theoretical attacks requiring unrealistic assumptions, such as:

  • Economic manipulation beyond plausible conditions

  • Guaranteed MEV/control of transaction ordering

  • Compromise of privileged keys or systems we assume secure

• Gas optimizations, informational findings or micro-efficiency improvements

Rewards & Recognition

Eligible submissions may receive a monetary bounty based on:

• Severity: impact and likelihood

• Novelty: not a duplicate or known issue

• Quality: clarity, reproducibility, and depth of analysis

Reports that require significant back-and-forth to establish basic validity, reference incorrect code, or appear to be AI-generated will not be eligible for a reward and may result in exclusion from future participation.

With your consent, we may also credit you publicly. All reward decisions are made at the discretion of the Altitude team.

Safe Harbour

If you follow this policy in good faith:

• We will not pursue legal action for your security research on Altitude

• We will treat your report confidentially until a fix is deployed

• We will communicate clearly throughout the disclosure process

We ask that you respect our users, limit your testing to what is necessary, and avoid causing harm or disruption.