::: coordinated disclosurelive · base sepolia

report
responsibly.
get paid on-chain.

GitHunt is the bug bounty layer for the open-source / crypto-dev world. Researchers seal vulnerabilities to repo owners in their browser. Owners fund bounties in escrow. Shipping the fix releases the payout. Reputation accrues on-chain.

Browse programs Read the docs

v0.8 · phase 8 of 9indexer · watchinghuntEscrow · 0xA3cd…B349

intro · 22s · loop

githunt

::: how it works — sealed · triaged · paid22.5s · 30fps · h264

live::base sepolia::chain 84532

githunt :: telemetry

$HUNT

1,000,000,000

fixed supply

PROGRAMS LIVE

be the first

REPORTS SEALED

ciphertext only

ESCROW

0xA3cd…B349

base sepolia

INDEXER

watching

10s poll

::: the pact

Four rules.
No exceptions.

If a feature can't be built without breaking one of these, it doesn't get built. The architecture inherits the rules.

P-01
vuln content is never public.
There is no public feed of unresolved reports. Optional sanitized advisories may be published only after a fix, only with the owner's explicit consent.
P-02
never stored in plaintext.
Reports are end-to-end encrypted client-side to the repo owner's public key. The server holds ciphertext + metadata. The operator cannot read a reported secret.
P-03
the platform never tests credentials.
Verification is the owner's job. Using a leaked key — even to confirm it — is exactly the line we don't cross.
P-04
extortion is forbidden, by design.
Reports are private by construction; the bounty + escrow is the alternative. Pay-or-leak behavior is bond-slashable and reputation-zeroed.

::: how it works

Three moves.
One feedback loop.

The product is the loop. Submit, triage, release. Each move emits an event the next move trusts.

researcher · in browser
01
Encrypted disclosure
The report is sealed to the program's libsodium public key before it leaves the device. The hash of the plaintext is committed alongside.
```
$ sealString(plaintext,
    program.encryptionPub)
  → ciphertext_b64
```
owner · in browser
02
Triage, local-decrypt
The repo owner decrypts in their browser using a wallet-derived keypair. State transitions are appended to an audit trail. SLA timers keep researchers from being ignored.
SUBMITTED→TRIAGED
TRIAGED→ACCEPTED
owner · on-chain
03
Escrow → payout
Owners fund HuntEscrow on Base from their own wallet. Shipping the fix releases the bounty to the researcher and bumps their on-chain reputation by one.
fund
release
paid

::: roles

Three sides of one disclosure.

01 / 03

researcher

You find leaks, IDOR, RCE in real repos. Sealed reports, paid in $HUNT, reputation on-chain.

GitHub OAuth + Base wallet → derived encryption key
Browser-side seal; platform never sees plaintext
SLA-protected: owners can't sit on you forever

Open a researcher account→

02 / 03

owner

You prove repo control, set scope + rewards, decrypt locally, fund escrow. The fix releases it.

GitHub admin-permission verification
Local decrypt — never custodial
Standard OZ ReentrancyGuard + SafeERC20 escrow

Publish a program→

03 / 03

sponsor

Fund standing pools for popular repos or whole ecosystems. Coming in v2.

Per-ecosystem standing bounties
Read-only reputation board for diligence
Slashing pool for spam deterrence

Roadmap v2

::: for repo owners

Run a program.
Skip the inbox triage.

Prove repo control with GitHub OAuth, publish scope + reward range, and your encryption pubkey is the only thing reports decrypt to. Fund escrow from your own wallet — GitHunt is never custodial.

repo verification via OAuth admin permission
scope markdown · reward range in $HUNT
fund / release / refund from your wallet

Publish a program

::: for researchers

Earn $HUNT
for what you find.

Wallet-derived encryption keypair, browser-side seal, on-chain reputation. The bounty is the better deal — and the only legitimate path to disclosure on this platform.

derived keypair · private half never uploaded
severity claim · content hash committed
reputation +1 per release · soulbound

Open a researcher account

reportresponsibly.get paid on-chain.

Four rules.No exceptions.

vuln content is never public.

never stored in plaintext.

the platform never tests credentials.

extortion is forbidden, by design.

Three moves.One feedback loop.

Encrypted disclosure

Triage, local-decrypt

Escrow → payout