Escrow-backed security bounties
Trust-Aligned Bounty Escrow
Bastion escrow reserves bounty funds for valid disclosures, giving researchers confidence that accepted findings can be rewarded, and giving projects a transparent on-chain coordination layer.
Escrow model
Funds reserved. Release on acceptance.
The problem
Why Escrow Exists
Bug bounty programs fail when payout trust breaks down. Escrow gives both sides a transparent coordination layer.
Trust gap in bounty payouts
Researchers need assurance that valid findings will be rewarded. Projects need a clear, accountable process for reserving and releasing funds.
Alignment through reserved funds
Escrow creates a shared commitment: bounty funds are set aside for accepted disclosures rather than handled ad hoc off-platform.
Part of continuous security
Escrow is one module in Bastion's workflow, alongside disclosure, reputation, and program management, not a standalone payout tool.
Process
How Escrow Works
From accepted report to on-chain release, Bastion coordinates off-chain workflow with on-chain fund custody.
- 1
Report accepted
A vulnerability report reaches an accepted or resolved state through Bastion's coordinated disclosure workflow.
- 2
Project funds escrow
The project wallet approves and funds escrow on-chain. Bastion verifies the transaction and indexes the deposit.
- 3
Funds held securely
USDC remains in escrow until the project releases to the researcher or refunds after rejection.
- 4
Release or refund
On payout, funds release to the researcher. If a funded report is rejected, the project can refund to itself.
- 5
Disclosure attestation
Researchers may register a disclosure hash on-chain as proof of submission timing, without exposing report plaintext.
Researchers
Benefits for Researchers
Escrow supports credible, repeatable security work, not one-off promises.
Reward visibility
Accepted findings follow a defined path toward on-chain release, reducing uncertainty about whether funds exist.
Fair process
Escrow works alongside Bastion's report lifecycle, dispute resolution, and reputation systems.
Portable credibility
Completed bounty workflows contribute to your public researcher passport and reputation on Bastion.
Projects
Benefits for Projects
Demonstrate bounty maturity while keeping release control in project hands.
Reserved bounty capital
Fund escrow when ready to pay, demonstrating commitment to researchers without premature disbursement.
Clear lifecycle control
Projects initiate funding, release, and refund actions through verified wallet transactions.
Researcher confidence
Escrow-backed programs signal maturity and help attract serious security researchers to your bounty program.
States
Escrow Lifecycle
Each report escrow moves through defined states tracked by Bastion and verified on-chain.
Report accepted; escrow not yet funded by the project.
USDC deposited on-chain; held until release or refund.
Funds sent to the researcher after valid payout approval.
Funds returned to the project when a funded report is rejected.
Roadmap
Future Support
Bastion escrow is designed to evolve with ecosystem maturity, without compromising funded escrows.
Stronger custody models
Future escrow versions may introduce multisig ownership and enhanced governance for higher-value programs.
Contract migration path
Bastion ships escrow improvements as new contract versions with app-level address migration, not in-place upgrades of production escrows.
Expanded chain support
Arbitrum One is the primary settlement layer today, with optional support for additional ecosystems as infrastructure matures.
Ready to explore active programs?
Browse escrow-backed bounty programs from projects on Bastion, or create a program from your Security Operations Center.