Last updated: June 6, 2026
1. Overview
Bastion is a security coordination platform for Web3 projects and security researchers. Bastion helps projects publish security information, manage vulnerability reports, coordinate bounty programs, and work with researchers. Bastion helps researchers build public reputation, submit reports, participate in programs, and track accepted findings.
Bastion is a coordination platform. It does not guarantee report acceptance, payments, project security, or future rewards.
2. Eligibility
You must be able to legally use the platform in your jurisdiction. You are responsible for complying with applicable laws, regulations, and contractual obligations that apply to your use of Bastion.
You must not use Bastion to conduct unauthorized testing, exploitation, attacks, fraud, spam, harassment, or other unlawful activity.
3. Accounts and Wallet Authentication
Bastion may use wallet-based authentication, including Sign-In With Ethereum (SIWE) or similar methods, to verify account control.
You are responsible for securing your wallets, private keys, devices, and accounts. Bastion cannot recover lost private keys, seed phrases, or wallets. You are responsible for activity performed through your authenticated account.
4. Researcher Responsibilities
Researchers using Bastion must:
- Follow each program's scope and rules
- Submit reports only through authorized workflows
- Avoid accessing, modifying, destroying, or exfiltrating user data outside authorized scope
- Avoid denial-of-service testing unless explicitly authorized in program rules
- Avoid social engineering unless explicitly authorized in program rules
- Provide clear, accurate, good-faith vulnerability reports
- Respect confidentiality around private reports and messages
- Not publicly disclose vulnerabilities before authorized disclosure
5. Project Responsibilities
Projects using Bastion must:
- Provide accurate project information
- Define scope, rules, and disclosure expectations clearly
- Review reports in good faith
- Communicate acceptance, rejection, or required clarification in a timely manner
- Keep security contacts and project information up to date
- Be responsible for their own security posture, contracts, policies, and operational response
Projects decide whether reports are valid unless otherwise handled by a defined dispute or review workflow on the platform.
6. Reports and Vulnerability Submissions
Reports may include technical descriptions, reproduction steps, severity assessments, affected assets, and supporting materials. Submitting a report does not guarantee acceptance, payment, reputation impact, or public recognition.
Bastion may track report status, findings, reputation impact, and activity history. Projects may reject reports that are out of scope, duplicate, low quality, unverifiable, spam, abusive, or not security-relevant.
7. Bounty Programs
Bounty programs may include defined scopes, severities, reward ranges, eligibility rules, and review workflows. Escrow-backed bounty programs are only available where configured on the platform.
Reward amounts, eligibility, and payment decisions depend on the specific program and project. Bastion does not guarantee that a submitted report will result in a reward.
8. Robinhood Chain Launch Readiness Programs
Robinhood Chain support on Bastion is currently intended for testnet and launch readiness workflows. Launch Readiness Programs are pre-mainnet security collaboration programs that help projects build security history, receive reports, coordinate with researchers, and prepare for launch.
Launch Readiness Programs may not include escrowed payments. Projects may choose to reward contributors later through grants, tokens, direct payments, hiring, recognition, or other opportunities, but Bastion does not guarantee any such reward. Launch Readiness Programs are not guaranteed paid bounty work.
9. Payments and Rewards
Payments may be processed through configured escrow or payout workflows where available. Arbitrum-based payment or escrow support may be available where configured in the environment and program settings.
Robinhood Chain Launch Readiness Programs do not imply live Robinhood mainnet escrow or payment settlement. Bastion does not guarantee payment unless a specific configured workflow and project commitment applies.
Researchers are responsible for their own taxes and reporting obligations related to any rewards they receive.
10. Prohibited Conduct
Users must not:
- Attack systems outside authorized scope
- Attempt unauthorized access to systems, accounts, or data
- Exfiltrate data outside authorized disclosure workflows
- Disrupt services through denial-of-service or similar activity
- Submit spam, fake, or malicious reports
- Abuse reputation, verification, or ranking systems
- Impersonate another person or organization
- Misrepresent findings, scope, or authorization
- Upload malware except where explicitly required and safely handled in an authorized report workflow
- Violate applicable laws or platform rules
11. Intellectual Property
Users retain ownership of their own content, reports, and project materials where applicable. By submitting content to Bastion, you grant Bastion permission to host, process, display, and transmit that content as needed to provide and secure the platform.
Projects are responsible for the materials they publish. Researchers are responsible for the materials they submit.
12. Platform Availability
Bastion may change, suspend, or discontinue features at any time. The platform may experience downtime, bugs, or interruptions. Buildathon, testnet, beta, or pre-launch features may change without notice.
13. Limitation of Liability
Bastion is provided on an “as is” and “as available” basis to the maximum extent permitted by law. To the fullest extent permitted by applicable law, Bastion and its operators are not responsible for lost funds, lost opportunities, security incidents, rejected reports, unpaid rewards, project failures, smart contract failures, or third-party actions arising from use of the platform.
Nothing in these Terms limits liability where such limitation is not permitted by law.
14. Changes to Terms
Bastion may update these Terms from time to time. We will update the “Last updated” date when changes are posted. Continued use of Bastion after changes become effective means you accept the updated Terms.
15. Contact
For questions about these Terms, contact the Bastion team through the contact methods provided on the platform.