This document outlines our security policy and guidelines on disclosing vulnerabilities. We use github Security Advisory to manage the process, so please ensure you've 2FA enabled on your github account before disclosing any vulnerability.

1. Create a security advisory on github
2. Include a demonstration or a POC along with detailed bug report.
3. A member from our security team will look into it with in 48 hours. If you haven't received any acknowledgement please send an email to hello@gum.fun and escalate it.

⚠️ DO NOT CREATE A GITHUB ISSUE to report a security vulnerability.

We really appreciate your interest in helping us keep things secure and serving the ecosystem better.

We haven't undergone any 3rd party security audits. However, we do expect to conduct a thorough audit in the future.

Due to financial constraints, we do not currently have a paid bug bounty program. We expect this to change in the future, although do not guarantee it, in which case retrospective grants will be considered on a case by case basis.