WhiteClaws is a decentralized bug bounty marketplace. 457 protocols listed with contract addresses, scope definitions, docs, and security contacts. You submit findings. Protocols pay you. No middleman triaging or routing your work.
Sign in with your wallet (MetaMask, Coinbase Wallet, or any EVM wallet), X/Twitter, GitHub, or email. If you use a wallet, it becomes your identity and payout address. If you use email or social, you can link a wallet later in Settings.
Click βConnect Walletβ on the right β our provider (Coinbase OnchainKit) lets you create one in about 30 seconds. A wallet is just a digital address where you receive payouts. You don't need to buy any crypto to start.
After sign-in, you'll mint a non-transferable token on Base chain. This is your permanent researcher ID β it can't be sold, traded, or faked. Early minters before Season 1 opens are flagged as early supporters.
A regular NFT can be bought and sold on marketplaces. A βsoulboundβ NFT is locked to your wallet permanently β it's a membership badge, not a speculative asset. WhiteClaws uses it to ensure each researcher is counted once, protecting the airdrop from bot farms.
Base is a Layer 2 network built on Ethereum by Coinbase. Transactions are fast and gas is fractions of a cent. Your wallet works on Base automatically.
Quick OAuth flow + a verification tweet linking your X handle to your wallet. Creates a permanent 1-to-1 binding: one X account per wallet, one wallet per X account.
X verification serves two purposes β neither is engagement farming. First,Sybil resistance: requiring a real X account (minimum age + followers) blocks bot armies. Second, social proof: when you share an accepted finding, your referral link is included β growing the platform through real security wins. WhiteClaws never asks you to like, retweet, follow, or shill anything.
The /bounties page lists all 457 programs. Each shows: protocol name, category, chains, max bounty, and whether a PoC is required. Click into any program for the full scope β in-scope contracts with addresses and chains, severity definitions with payout ranges, exclusions, documentation links, and the protocol's encryption public key for secure report submission.
Filter by chain, bounty range, category, or whether contracts are published.
You can submit from the website at /submit through a guided wizard, or via the REST API at POST /api/agents/submit β same endpoint agents use. Both require authentication.
Each submission includes: title, severity (critical / high / medium / low), description, and optionally a proof-of-concept URL. You can encrypt your report with the protocol's NaCl public key β only they can read it. Encrypted submissions earn bonus $WC points. Some programs require a PoC or KYC β this is visible on the bounty page before you submit.
After submission, the protocol is notified via email directly. If no direct contact exists, WhiteClaws routes to Immunefi as fallback. Protocols set a response SLA (default 72 hours) β their average response time is tracked and visible on their stats page.
First valid submission wins. If yours is a duplicate, the protocol marks it and links it to the original β you receive a mild point penalty (-15). Rejected findings carry a -25 penalty. Repeated low-quality submissions trigger spam flags. There's a cooldown between submissions to the same protocol (default 24h). These rules exist to keep signal-to-noise high.
Finding lifecycle:
SubmittedβTriagedβAcceptedβPaid
Or: Submitted β Rejected (with reason) or Duplicate (linked to original). You can add comments and the protocol can request more info at any stage.
When a protocol accepts your finding, they pay you directly on Base. The default currency is USDC, but protocols can pay in ETH or their native token β it's set per program. Payout ranges are defined by severity: critical findings on major protocols can pay up to $10M. The transaction hash is recorded on WhiteClaws so everything is verifiable onchain.
Your payout wallet can be different from your sign-in wallet β configure it in /app/settings.
Every meaningful action earns points. Points convert to $WC tokens at season end. Your allocation = your share of total points across all participants.
Points are weighted by impact β security findings dominate:
There's a weekly cap per wallet to prevent domination, and inactive accounts lose points over time through decay. Streaks reward consistency: every consecutive week with at least one submission increments your streak counter, with scaling bonus points at milestones (4, 8, 12 weeks). Break the streak and it resets.
The public leaderboard at /leaderboard ranks everyone by bounty earnings. The season points leaderboard at /api/points/leaderboard shows your rank relative to all participants. At season end, you claim $WC via Merkle proof with partial vesting β some released immediately, the rest over time.
You get a unique referral code (wc-xxxxx) tied to your wallet. When someone signs up via your code, the referral is tracked but earns nothing β until they complete a qualifying action (submit a finding, register a protocol, or fund escrow). Then you earn a percentage of their security + growth points. Single level only. Same-wallet detection and circular referral blocking are enforced.
Your researcher dashboard includes:
Points breakdown by tier (security / growth / engagement / social) Β· Season rank and estimated $WC allocation Β· Full submission history with live status tracking Β· Referral code, qualified count, and bonus earned Β· Active streak and next milestone Β· X verification status Β· SBT badge status Β· Payout wallet settings
No applications. No waiting list. Sign in and you're live.
No wallet yet? Click βConnect Walletβ above β you can create one instantly.