Sifchain looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. We are a public open source, decentralized blockchain and omni-chain DEX where most information is publicly queryable to the entire internet. Our primary concern is any vulnerability where an attacker can siphon assets from our users in an unintended way. Secondarily, any vulnerability that could affect or compromise the availability or performance of our blockchain. Any issues beyond that will be considered Low severity at best.
For all security related issues refer to our Bug Bounty Program. Do not open up a GitHub issue if the bug is a security vulnerability
Ensure the bug was not already reported by searching on GitHub under Issues.
Sifchain will make a best effort to meet the following response times for reported vulnerabilities:
- Time to first response (from report submit) - 2 days
- Time to triage (from report submit) - 3 - 5 days
- Time to bounty (from triage) - 3 - 5 days
We’ll try to keep you informed about our progress throughout the process.
- Follow HackerOne's disclosure guidelines.
- Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or Cosmos) but reports to Sifchain with considerable delay, then Sifchain may reduce or cancel the bounty.
For more information check Sifchain bounty program policy at HackerOne