HackenProof

• Name: HackenProof
• URL: https://hackenproof.com/
• Category: web3 security marketplace / bug-bounty platform / crowdsourced-audit and triage infrastructure
• Summary: HackenProof is a smaller rule-heavy security marketplace. The note matters because the control surfaces are explicit: researcher admission, client-versus-platform triage power, mediation, disclosure timing, and per-format incentive rules across public bounties, private programs, crowdsourced audits, and DualDefence contests.
• What it does:
  • Runs public bug-bounty programs with open participation, unlimited duration, and uncapped-budget framing for mature products
  • Offers private bug-bounty programs where projects hand-pick a smaller researcher set and keep participation anonymous
  • Operates time-limited crowdsourced audits with predictable budgets, HackenProof-run review, and final audit-report production
  • Splits company-side authority into explicit roles including Company Admin, Company Manager, Program Manager, Program Triager, and Report Viewer
  • Provides report validation, triage, and mediation workflows rather than leaving sponsor-versus-researcher disputes entirely off-platform
  • Uses a more opinionated DualDefence contest mode with phase rules, limits on post-submission additions, and duplicate-sensitive bounty sharing for accepted critical findings
• Key claims:
  • The docs describe HackenProof as a web3 bug-bounty platform for exchanges, protocols, and smart contracts, with services spanning public and private bug bounties, crowdsourced audits, online hackathons or live-hacking events, and triage or mediation support.
  • The services docs say public bug bounties are open to everyone on the platform while private programs use an anonymous, hand-picked researcher set. That makes admission policy a first-class platform surface rather than a background ops detail.
  • The audit-process docs say crowdsourced audits are time-limited, have predictable budgets, require code freeze during the audit, and are restricted to qualified auditors. That researcher-gating layer is one of the clearer distinctions from fully open crowd-review markets.
  • The users-and-roles docs make company-side permissioning unusually explicit. Admins and managers can see company-wide programs and payments, while program-level managers and triagers are scoped to specific programs and report viewers do not get broader company-account access.
  • The bug-bounty-process docs keep the client as final arbiter of severity and bounty, but also state that HackenProof may review downgraded reports and can delist programs that ignore SLA or unfairly reduce severity. That is real mediation power, not just ticket routing.
  • The judging-and-triaging docs say duplicate findings in audit contests can still receive bounty shares, and researchers can request mediation when they disagree with triage. Duplicate policy is part of the market design here, not an implementation footnote.
  • The vulnerability-disclosure docs say disclosure is mutual by default after a report reaches Resolved status, but security teams may disclose earlier without the hunter’s agreement if active exploitation requires user warning or remediation guidance. So disclosure governance is productized rather than left informal.
  • The DualDefence docs add a stricter contest-policy layer: reports must be self-contained at submission, preliminary comments are constrained to technical rebuttals, public discussion is barred until official results, and critical-issue rewards use a sybil-resistant duplicate-decay formula 1 * (0.9^(N - 1)) / N.
• Whitepaper: No canonical HackenProof whitepaper or litepaper surfaced in this pass. The clearest primary materials were the official docs for services, role controls, bug-bounty flow, crowdsourced-audit flow, judging and mediation, disclosure, and DualDefence rules, collected in ../whitepapers/hackenproof-primary-sources-2026-05-15.md.

Sources

• https://hackenproof.com/
• https://docs.hackenproof.com/
• https://docs.hackenproof.com/welcome/readme/services-we-provide.md
• https://docs.hackenproof.com/dashboard/company-dashboard/users-and-roles.md
• https://docs.hackenproof.com/bug-bounty/bug-bounty-process.md
• https://docs.hackenproof.com/crowdsourced-audit/audit-process.md
• https://docs.hackenproof.com/crowdsourced-audit/judging-triaging.md
• https://docs.hackenproof.com/good-to-know/vulnerability-disclosure.md
• https://docs.hackenproof.com/dualdefense-audit/contest-phases.md
• https://docs.hackenproof.com/dualdefense-audit/dd-bounty-distribution-rules.md
• https://github.com/hackenproof-public
• https://raw.githubusercontent.com/hackenproof/web3-bug-bounty-platform/master/README.md

Internal linkages

• Best upward reads: immunefi and cantina.

Comparable to / differs from

• Differs from: broader lifecycle-security stacks that bundle coverage, monitoring, or heavier managed review. HackenProof is the smaller rulebook-driven marketplace version.

Control / trust posture

• Real authority sits in researcher admission, client-versus-platform triage rights, mediation escalation, disclosure timing, and the payout logic chosen for each program format.

• So the note is useful as a governance specimen, not as a category anchor.

• Last reviewed: 2026-06-03 UTC