The Decred project runs a bug bounty program which is approved by the stakeholders and is funded by the Decred treasury.
Please refer to the bounty website to understand the scope and how to submit a vulnerability.
dcrlnd is part of Decred's Bug Bounty Program
on an experimental basis while we haven't yet deployed into mainnet.
Additionally, given the current nature of this work as a fork from the original
lnd code, bugs that have been submitted to the upstream lnd project are not
eligible for the bug bounty program unless the following points apply:
- The bug affects a mainnet worthy release of
dcrlnd; - The fix for the bug was not merged from the upstream repo while a substantial amount of upstream commits that are newer than the relevant one were merged;
- The bug is not critical to
lndbut it is todcrlnd.