Responsible disclosure
Found something? We want to hear it — calmly and privately.
If you've found a vulnerability in something we maintain, or in a program we support, this is how to reach us. We read every report from a real person and reply.
What to include
- The affected target — contract address and chain, repository, or URL.
- A clear description of the issue and the impact you believe it has.
- Steps to reproduce, ideally a proof of concept: a script, a failing test, or a transaction sequence.
- Any conditions or assumptions the issue depends on.
What you can expect
- An acknowledgement within two business days.
- An honest assessment of severity once we've reproduced it.
- Coordinated timing — we won't publish or push for publication before a fix is reasonably possible.
- Credit if you'd like it, and discretion if you wouldn't.
Good-faith research
Test only against systems you're authorized to test. Don't access or modify data that isn't yours, don't degrade service, and don't hold findings for ransom. Research done in good faith under these terms is welcome, and we'll act in good faith in return. If you're reporting on behalf of a program we support, that program's policy and scope take precedence.