Home / Terms of Service

Terms of Service

These Terms govern access to and use of Bastion, including researcher accounts, project accounts, vulnerability reports, bounty programs, and launch readiness workflows.

Last updated: June 6, 2026

1. Overview

Bastion is a security coordination platform for Web3 projects and security researchers. Bastion helps projects publish security information, manage vulnerability reports, coordinate bounty programs, and work with researchers. Bastion helps researchers build public reputation, submit reports, participate in programs, and track accepted findings.

Bastion is a coordination platform. It does not guarantee report acceptance, payments, project security, or future rewards.

2. Eligibility

You must be able to legally use the platform in your jurisdiction. You are responsible for complying with applicable laws, regulations, and contractual obligations that apply to your use of Bastion.

You must not use Bastion to conduct unauthorized testing, exploitation, attacks, fraud, spam, harassment, or other unlawful activity.

3. Accounts and Wallet Authentication

Bastion may use wallet-based authentication, including Sign-In With Ethereum (SIWE) or similar methods, to verify account control.

You are responsible for securing your wallets, private keys, devices, and accounts. Bastion cannot recover lost private keys, seed phrases, or wallets. You are responsible for activity performed through your authenticated account.

4. Researcher Responsibilities

Researchers using Bastion must:

  • Follow each program's scope and rules
  • Submit reports only through authorized workflows
  • Avoid accessing, modifying, destroying, or exfiltrating user data outside authorized scope
  • Avoid denial-of-service testing unless explicitly authorized in program rules
  • Avoid social engineering unless explicitly authorized in program rules
  • Provide clear, accurate, good-faith vulnerability reports
  • Respect confidentiality around private reports and messages
  • Not publicly disclose vulnerabilities before authorized disclosure

5. Project Responsibilities

Projects using Bastion must:

  • Provide accurate project information
  • Define scope, rules, and disclosure expectations clearly
  • Review reports in good faith
  • Communicate acceptance, rejection, or required clarification in a timely manner
  • Keep security contacts and project information up to date
  • Be responsible for their own security posture, contracts, policies, and operational response

Projects decide whether reports are valid unless otherwise handled by a defined dispute or review workflow on the platform.

6. Reports and Vulnerability Submissions

Reports may include technical descriptions, reproduction steps, severity assessments, affected assets, and supporting materials. Submitting a report does not guarantee acceptance, payment, reputation impact, or public recognition.

Bastion may track report status, findings, reputation impact, and activity history. Projects may reject reports that are out of scope, duplicate, low quality, unverifiable, spam, abusive, or not security-relevant.

7. Bounty Programs

Bounty programs may include defined scopes, severities, reward ranges, eligibility rules, and review workflows. Escrow-backed bounty programs are only available where configured on the platform.

Reward amounts, eligibility, and payment decisions depend on the specific program and project. Bastion does not guarantee that a submitted report will result in a reward.

8. Robinhood Chain Launch Readiness Programs

Robinhood Chain support on Bastion is currently intended for testnet and launch readiness workflows. Launch Readiness Programs are pre-mainnet security collaboration programs that help projects build security history, receive reports, coordinate with researchers, and prepare for launch.

Launch Readiness Programs may not include escrowed payments. Projects may choose to reward contributors later through grants, tokens, direct payments, hiring, recognition, or other opportunities, but Bastion does not guarantee any such reward. Launch Readiness Programs are not guaranteed paid bounty work.

9. Payments and Rewards

Payments may be processed through configured escrow or payout workflows where available. Arbitrum-based payment or escrow support may be available where configured in the environment and program settings.

Robinhood Chain Launch Readiness Programs do not imply live Robinhood mainnet escrow or payment settlement. Bastion does not guarantee payment unless a specific configured workflow and project commitment applies.

Researchers are responsible for their own taxes and reporting obligations related to any rewards they receive.

10. Prohibited Conduct

Users must not:

  • Attack systems outside authorized scope
  • Attempt unauthorized access to systems, accounts, or data
  • Exfiltrate data outside authorized disclosure workflows
  • Disrupt services through denial-of-service or similar activity
  • Submit spam, fake, or malicious reports
  • Abuse reputation, verification, or ranking systems
  • Impersonate another person or organization
  • Misrepresent findings, scope, or authorization
  • Upload malware except where explicitly required and safely handled in an authorized report workflow
  • Violate applicable laws or platform rules

11. Intellectual Property

Users retain ownership of their own content, reports, and project materials where applicable. By submitting content to Bastion, you grant Bastion permission to host, process, display, and transmit that content as needed to provide and secure the platform.

Projects are responsible for the materials they publish. Researchers are responsible for the materials they submit.

12. Platform Availability

Bastion may change, suspend, or discontinue features at any time. The platform may experience downtime, bugs, or interruptions. Buildathon, testnet, beta, or pre-launch features may change without notice.

13. Limitation of Liability

Bastion is provided on an “as is” and “as available” basis to the maximum extent permitted by law. To the fullest extent permitted by applicable law, Bastion and its operators are not responsible for lost funds, lost opportunities, security incidents, rejected reports, unpaid rewards, project failures, smart contract failures, or third-party actions arising from use of the platform.

Nothing in these Terms limits liability where such limitation is not permitted by law.

14. Changes to Terms

Bastion may update these Terms from time to time. We will update the “Last updated” date when changes are posted. Continued use of Bastion after changes become effective means you accept the updated Terms.

15. Contact

For questions about these Terms, contact the Bastion team through the contact methods provided on the platform.