| Version | Supported |
|---|---|
| main (latest) | Yes |
| older branches | No |
Only the latest revision on main receives security fixes.
Do not open a public GitHub issue for security vulnerabilities.
Report privately via one of these channels:
- Email: security@propchain.io
- GitHub Private Advisory: Use the "Report a vulnerability" button on the Security tab.
Include as much detail as possible:
- A concise description of the vulnerability
- Steps to reproduce or a proof-of-concept
- Affected contract(s) / function(s) and Rust file paths
- Estimated impact (funds at risk, access control bypass, DoS, etc.)
- Any suggested fix or mitigation
We aim to acknowledge your report within 48 hours and provide a remediation timeline within 7 business days.
PropChain operates a community bug bounty program. Rewards are paid in USDC on Polkadot.
In scope:
- All ink! smart contracts under
contracts/ - The
security-auditCLI tool - Cross-contract interactions (bridge, oracle, escrow, compliance)
- Access control and role management (
contracts/traits/src/access_control.rs) - Emergency pause / resume mechanism (
contracts/lib/src/lib.rs)
Out of scope:
- Off-chain indexer or SDK code unless the vulnerability impacts on-chain state
- Third-party dependencies (report to upstream maintainers instead)
- Issues already reported or duplicates of known issues
- Social engineering or phishing attacks
| Severity | Description | Reward (USDC) |
|---|---|---|
| Critical | Arbitrary fund loss, complete access control bypass, permanent DoS | $5,000 – $20,000 |
| High | Partial fund loss, privilege escalation, multi-sig bypass | $1,000 – $5,000 |
| Medium | Temporary DoS, incorrect state transitions, event manipulation | $250 – $1,000 |
| Low | Incorrect error codes, missing events, minor logic flaws | $50 – $250 |
| Informational | Best-practice improvements, gas optimisations | Recognition only |
Severity follows the CVSS v3.1 base score. Final reward is at the discretion of the PropChain security team.
- Test only on testnet (
Rococo/Shibuya). Never attack mainnet contracts. - Do not access or exfiltrate user data beyond what is necessary to demonstrate the vulnerability.
- Avoid actions that degrade system availability for other users.
- Give us a reasonable time to remediate before public disclosure (coordinated disclosure).
- One reward per unique vulnerability; duplicates receive no reward.
- Day 0 – Researcher submits report privately.
- Day 1–2 – PropChain confirms receipt and assigns severity.
- Day 7 – Remediation plan communicated to researcher.
- Day 30–90 – Fix developed, audited, and deployed (depends on severity).
- Post-fix – Public advisory published; researcher credited (if desired).
We follow a coordinated disclosure model. We will not pursue legal action against researchers who:
- Act in good faith and report through the channels above
- Do not exploit vulnerabilities beyond a proof-of-concept
- Give us adequate time to remediate before public disclosure
security@propchain.io — PGP key available on request.