Forgd AcademyForgd Academy
Lesson 5 of 7

How should I structure a bug bounty program?

Launch the bounty program at least 4 weeks before TGE, hosted on a platform like Immunefi. Tier your payouts based on severity: critical vulnerabilities (funds at risk) should pay $50K-$500K+ depending on TVL; high-severity issues $10K-$50K; medium $1K-$10K. These numbers need to exceed what an attacker could make by exploiting the bug — otherwise the bounty is decorative.

Scope it clearly. Define which contracts are in-scope, what counts as a valid finding, and what your response SLA is. Vague scope and slow response times drive researchers away. The best bug bounty programs are treated as a permanent security layer, not a one-time marketing exercise.

Ready to start?

Contact us for a 1:1 consultation regarding all things Web3 advisory

Apply for Full-Service Advisory

© 2026 Forgd. All rights reserved. Terms & Conditions

The content on this site is for informational purposes only and should not be construed as financial or legal advice.