Security policy
XDCTrade welcomes good-faith security research. This page describes what is in scope, how to report a vulnerability, the SLAs you can expect from us, and the safe-harbor terms we offer in return.
Report a vulnerability
REPLACE_WITH_PGP_FINGERPRINT_BEFORE_PUBLIC_LAUNCHIn scope
| Web app | xdctrade.xyz, app.xdctrade.xyz, all subdomains |
| API | api.xdctrade.xyz · all /api/v1/* endpoints |
| Smart contracts | OrderBookSettlement, Vault, Oracle, MockUSDC, Staking, Governance |
| Off-chain services | Sequencer, indexer, market-maker, pricer, spot engine |
Out of scope
- ·Social-engineering team members
- ·Physical attacks against infrastructure
- ·DoS / volumetric attacks (use rate-limit reports instead)
- ·Findings already public on GitHub issues / Discord
- ·Vulnerabilities that require root access on the victim's machine
- ·Best-practice recommendations without an exploit (e.g. "should use HSTS preload" — we already do)
Severity & response SLAs
Examples · Drain user funds · forge orders · bypass settlement · oracle manipulation that liquidates users · privilege escalation on contracts
Examples · Withdraw another user's funds · forge another user's order · bypass risk checks · authentication bypass on protected APIs
Examples · Read another user's private data · griefing via rate-limit gaps · session/cookie issues · bypass minor restrictions
Examples · Best-practice deviations · minor information leaks · self-XSS · clickjacking on non-sensitive pages
The platform is currently in public beta on testnet (mUSDC) and a formal bug-bounty program with monetary payouts is not yet active. Verified critical and high-severity findings will receive priority on the bug-bounty whitelist when it launches.
Process
- 1
Confirm the issue is in scope
Use the scope table below. If unsure, send a one-line summary first and we'll tell you if it's in scope before you write up the full report.
- 2
Email security@primenumberslabs.com
Encrypted via PGP preferred (key fingerprint published below). Include: a clear title with the suspected severity, a reproducible PoC, the impact, and your suggested fix if you have one.
- 3
Wait for ack — no public disclosure
You will receive an acknowledgement within the SLA above. Please do not disclose the issue publicly (Twitter, GitHub, Discord) until we have shipped a fix or 90 days have passed since the report — whichever is sooner.
- 4
Coordinated disclosure
Once the patch is deployed and confirmed in production, we publish a post-mortem and credit you in the hall of fame and the on-chain disclosure log (unless you prefer to remain anonymous).
Safe harbor
We will not pursue legal action against researchers who comply with this policy in good faith. To qualify for safe harbor:
- ·You are testing only on your own accounts and not affecting other users' funds, data, or trading.
- ·You are not exfiltrating data beyond the minimum needed to demonstrate the issue.
- ·You report the issue privately first and give us reasonable time to fix.
- ·You do not violate any other applicable law (US, EU, or your local jurisdiction).
Hall of fame
No reports yet — be the first. Submit feedback or email security@primenumberslabs.com.
Last updated: 2026-05-08 · Policy version 1.0 · Modeled after the OWASP Vulnerability Disclosure Cheat Sheet.