0x4f2a…b1c8Watching
OpenSSL 3.xRemote Code Execution9.1CRITICAL
SOMNIA · SECURITY PROTOCOLThe bounty pays the
The bounty pays the
instant the CVE lands.
Define the criteria once — target product, CVSS floor, vulnerability class. When a matching advisory is published, a Somnia Agent verifies it on chain and the escrow settles. No committee. No discretion.
NetworkSomnia Shannon Testnet
Request deposit0.12 STT
Settlementmatch → claimant
0x9d31…77aeClaiming
nginx 1.27Memory Corruption8.2HIGH
0x1c08…04f2Watching
PostgreSQL 16Auth Bypass7.6HIGH
✓deploycriteria locked · escrow funded
>>>claimCVE-2026-18420 broadcast · pending
✓settlematch confirmed · 2,500 STT → claimant
$ ▮
Severity ramp
Every bounty carries a hard CVSS floor.
LOW0.1–3.9
MEDIUM4.0–6.9
HIGH7.0–8.9
CRITICAL9.0–10
Lifecycle
Built around the advisory lifecycle — not a generic escrow form.
Scope, severity, claim, verdict, settlement. The whole path is on chain and public.
Lock the criteria
Deploy product, CVSS floor, vuln class, expiry and escrow in a single signed transaction.
Publish a CVE claim
Any wallet submits a CVE identifier and a claimant address while the bounty is watching.
Evidence and review
Somnia agents gather typed API and webpage evidence, then produce a primary decision and memo.
Dispute and settlement
A dispute window can reopen adjudication before a tool-reviewed settlement path approves payout or rejection.
Why this exists
Bug-bounty promises are weak when the payout rules live off chain.
Traditional programs run on private policy interpretation, manual review and company discretion. CVE Bounty makes the qualifying conditions public and immutable before anyone submits a claim.
If the CVE matches, the contract pays. If it does not, no operator can force a payout. If the bounty expires unused, the poster reclaims the escrow. The terms cannot move after deployment.
Open the console and lock your first bounty policy.
Compose criteria, track live bounties on the board, and watch settlement stream in.