To report a security vulnerability, send an email to security@humanode.io or use Github Private Security Vulnerability Reporting feature.

Please reach out to us in private via methods above; do not create a GitHub issue (since they are visible to anyone), or use public Discord server, public Telegram groups or other public communication channels.

We will reply to you with a confirmation that we received your message, and provide our feedback. You can expect a reply from us within 24 hours - usually even quicker.

We will aim to coordinate the vulnerability disclosure together with you and other affected parties in order to give everyone time to apply the necessary measures to reduce the impact of the vulnerability after its disclosure.

You can expect this process to have immediate attention from the core dev team for high-risk issues. Generally, we will aim to address all security-related issues within 30 days.

Regardless of the running bounty programs, any vulnerability can be reported - however, there will be no rewards for vulnerabilities outside of the running bounty programs.

If you were unable to reach our security team using the contact information mentioned above within the expected time frame you can try reaching out to our community assistants and telling them you have a security vulnerability to disclose. They will likely direct you here, but you should mention you did not receive a reply from the security team in time. They will be able to use the internal communication channels to help establish the contact. Please try reaching the security team directly first, and only involve the community assistants if the direct communication did not work.

Currently the Humanode Bounty Program is not active.

We will add relevant information here once we have an update.

The security policy will be periodically reviewed and updated as necessary to reflect changes in procedures or contact information.