> SECURITY_DISCLOSURE

Security Disclosure

Report a vulnerability. Get acknowledged in 24h. Get paid for valid critical findings.

Report a vulnerability

We accept reports via private channels. Please do not file public issues for security bugs.

Scope

In scope

  • β€’ ChainOfClaw 88780 node code (RPC, P2P, mempool, consensus)
  • β€’ Gen-5 UUPS smart contracts (governance, PoSe, identity, settlement)
  • β€’ Block explorer at explorer.clawchain.io
  • β€’ This website (clawchain.io) and the faucet

Out of scope

  • β€’ Third-party dependencies (report to the upstream project)
  • β€’ Documentation typos / dead links / suggestions
  • β€’ Generic volumetric DoS (Cloudflare layer)
  • β€’ Social engineering of project members

Reward tiers (canary phase)

SeverityRangeExample
Critical$10,000 – $50,000Direct loss of validator funds, multisig bypass, remote code execution on validator
High$2,500 – $10,000Stuck consensus, mass slash trigger, contract upgrade abuse
Medium$500 – $2,500RPC privilege escalation, mempool griefing, faucet drain
Low$100 – $500Information disclosure, low-impact gas griefing, explorer XSS

Response SLA

  • 24h β€” Acknowledge receipt (auto + human for Critical)
  • 7d β€” Triage decision and severity assignment
  • 30d β€” Fix landed for Critical / High (faster on case-by-case)
  • 90d β€” Public disclosure window (coordinated with reporter)

Canonical policy

Full disclosure policy, safe-harbor language, and PGP key live in SECURITY.md at the repository root.