> SECURITY_DISCLOSURE
Security Disclosure
Report a vulnerability. Get acknowledged in 24h. Get paid for valid critical findings.
Report a vulnerability
We accept reports via private channels. Please do not file public issues for security bugs.
Scope
In scope
- β’ ChainOfClaw 88780 node code (RPC, P2P, mempool, consensus)
- β’ Gen-5 UUPS smart contracts (governance, PoSe, identity, settlement)
- β’ Block explorer at explorer.clawchain.io
- β’ This website (clawchain.io) and the faucet
Out of scope
- β’ Third-party dependencies (report to the upstream project)
- β’ Documentation typos / dead links / suggestions
- β’ Generic volumetric DoS (Cloudflare layer)
- β’ Social engineering of project members
Reward tiers (canary phase)
| Severity | Range | Example |
|---|---|---|
| Critical | $10,000 β $50,000 | Direct loss of validator funds, multisig bypass, remote code execution on validator |
| High | $2,500 β $10,000 | Stuck consensus, mass slash trigger, contract upgrade abuse |
| Medium | $500 β $2,500 | RPC privilege escalation, mempool griefing, faucet drain |
| Low | $100 β $500 | Information disclosure, low-impact gas griefing, explorer XSS |
Response SLA
- 24h β Acknowledge receipt (auto + human for Critical)
- 7d β Triage decision and severity assignment
- 30d β Fix landed for Critical / High (faster on case-by-case)
- 90d β Public disclosure window (coordinated with reporter)
Canonical policy
Full disclosure policy, safe-harbor language, and PGP key live in SECURITY.md at the repository root.