The bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds, economic exploits, and smart contract security risk.
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
All web and app bug reports must come with a PoC in order for consideration for a reward. All bug reports without a PoC will be automatically rejected with instructions to provide a PoC.
Payouts are handled by the Tranche Finance team directly and are denominated in USD. However, payouts are done in a mix of stablecoins and project tokens.