If you believe you have found a security vulnerability, please report it to us responsibly at [email protected]
Please DO NOT report security vulnerabilities through public GitHub issues.
In your report, please include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any possible mitigations
We maintain a bug bounty program to reward security researchers who help us identify and fix vulnerabilities.
In scope in main branch:
- Main application code
- API endpoints
- Authentication systems
Bounties are awarded based on severity, impact and likelihood:
| Severity | Maximum | Example |
|---|---|---|
| Medium | $1,000 USD | A bug that causes the relay to go offline |
| High | $15,000 USD | A bug that causes proposers to miss several slots |
| Critical | $25,000 USD | A bug that causes an untrusted proposer to access an invalid unblinded payload |