Bug Bounty Program

Help us keep MIA AI secure. Report vulnerabilities and earn rewards in $MIA tokens.

⚠️ Work in Progress: The Bug Bounty program is currently being set up. Reward amounts are TBD (To Be Determined) and will be announced soon. All confirmed vulnerabilities will be retroactively rewarded once the program is finalized.

Severity Levels & Rewards

CRITICAL

TBDin $MIA

Vulnerabilities that could lead to complete system compromise or significant data breach.

Examples:

•Remote code execution (RCE)
•SQL injection leading to data exfiltration
•Authentication bypass allowing access to any account
•Access to admin panel without credentials
•Unauthorized access to other users' private data or messages
•API key exposure or theft

HIGH

TBDin $MIA

Vulnerabilities that significantly impact security but require specific conditions.

Examples:

•Stored Cross-Site Scripting (XSS)
•Cross-Site Request Forgery (CSRF) on sensitive actions
•Privilege escalation between user roles
•Rate limit bypass enabling abuse
•Session hijacking or fixation
•Insecure direct object references (IDOR)

MEDIUM

TBDin $MIA

Vulnerabilities with limited impact or requiring user interaction.

Examples:

•Reflected Cross-Site Scripting (XSS)
•Information disclosure (non-sensitive data)
•Denial of Service (DoS) attacks
•Prompt injection affecting other users' conversations
•Memory injection allowing malicious public memories
•Clickjacking on sensitive pages

LOW

TBDin $MIA

Minor vulnerabilities with minimal security impact.

Examples:

•Self-XSS (requires victim to paste malicious code)
•Minor information leaks (software versions, etc.)
•UI/UX security issues
•Missing security headers (non-critical)
•Verbose error messages
•Username enumeration

Program Rules

✅ In Scope

• mia.miao.gg web application
• Authentication and session management
• Chat and messaging functionality
• Memory system (public/private)
• API endpoints
• Voice integration

❌ Out of Scope

• Third-party services (xAI, Cloudflare, etc.)
• Social engineering attacks
• Physical attacks
• DoS attacks that disrupt service
• Automated scanning without permission

📋 Submission Guidelines

• Provide clear description of the vulnerability
• Include step-by-step reproduction steps
• Document potential impact
• Include proof of concept (screenshots, videos, code)
• Do not access or modify other users' data
• Do not publicly disclose before fix is deployed

$MIA Token

All bug bounty rewards will be paid in $MIA Token on Solana.

Contract Address

FyPDfX92B4uEk4zZouy96d1Kk1LgnCznBpzAFSsZpump

View on pump.fun

Submit a Report

Found a vulnerability? Reach out to us on X (Twitter) for now. A dedicated submission portal is coming soon.

Contact @miao_xAI