The Web3 Alliance treats the security posture of every substrate component, every member-facing service, and every customer-facing surface as a first-class concern.
This policy covers any repository under github.com/w3a-foundation,
including (without limitation) the onboarding service, the substrate
references in member chains, the IAM tenant, and the public site +
docs surfaces. The policy also covers any first-party deployed
infrastructure listed under docs.w3a.foundation.
Do not file vulnerabilities in public GitHub issues.
Send vulnerability reports to security@w3a.foundation. Encrypt
the report with the Office of the General Counsel's PGP key (published
at https://w3a.foundation/.well-known/security.txt and on the public
keyservers under the same address).
Please include:
- A description of the vulnerability
- The repository or service affected
- Reproduction steps
- Suspected severity per the classification below
- Your preferred name + GitHub handle for credit (or "anonymous")
We follow a 90-day coordinated-disclosure window from initial acknowledgment. The Office of the General Counsel will:
- Acknowledge receipt within 3 business days.
- Provide an initial severity assessment within 7 business days.
- Coordinate fix development with the relevant member team.
- Coordinate disclosure timing with the reporter.
- Request a CVE assignment from MITRE / coordinate with CISA where appropriate.
- Publish a security advisory on the affected repository at the coordinated disclosure date.
Where active in-the-wild exploitation is observed, the timeline may compress without prior reporter sign-off; we will give the reporter as much notice as the in-the-wild situation allows.
| Severity | Examples |
|---|---|
| Critical | Remote code execution; key compromise on substrate; loss of customer funds; arbitrary KMS unwrap |
| High | Unauthorized state-machine transition; bypass of pre-trade compliance gate; cryptographic primitive misuse |
| Medium | Information disclosure that does not directly cause loss; rate-limit bypass enabling denial-of-service amplification |
| Low | Minor information disclosure; theoretical vulnerability without practical exploit path |
The Web3 Alliance bug bounty program is in development. Indicative reward tiers (subject to confirmation when the program launches):
- Critical: $25,000 – $100,000+
- High: $5,000 – $25,000
- Medium: $500 – $5,000
- Low: $100 – $500 (or swag + recognition)
In the interim, all reporters of accepted vulnerabilities are credited in the published security advisory unless they request anonymity.
- Reports that require physical access to a user's device
- Reports that require social engineering of a Member's employee
- Reports limited to outdated dependencies without a demonstrated exploit
- Reports against deployments operated by Members under their own brand (route those to the relevant Member's security contact)
Reporters of substantively-impactful vulnerabilities are listed at w3a.foundation/security/hall-of-fame with their consent.
- Vulnerability reports:
security@w3a.foundation(PGP encrypted) - Office of the General Counsel:
gc@w3a.foundation - Office of the Chief Architect:
architect@w3a.foundation