Sifchain looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. We are a public open source, decentralized blockchain and omni-chain DEX where most information is publicly queryable to the entire internet. Our primary concern is any vulnerability where an attacker can siphon assets from our users in an unintended way. Secondarily, any vulnerability that could affect or compromise the availability or performance of our blockchain. Any issues beyond that will be considered Low severity at best.
For all security related issues refer to our Bug Bounty Program. Do not open up a GitHub issue if the bug is a security vulnerability
Ensure the bug was not already reported by searching on GitHub under Issues.
Sifchain will make a best effort to meet the following response times for reported vulnerabilities:
- Time to first response (from report submit) - 2 days
- Time to triage (from report submit) - 3 - 5 days
- Time to bounty (from triage) - 3 - 5 days
We’ll try to keep you informed about our progress throughout the process.
- Vulnerabilities should be disclosed through the Immunefi platform. Immunefi will then handle bug bounty communications.
- Public disclosure of a vulnerability makes it ineligible for a bounty. If the user reports the vulnerability to other security teams (e.g. Ethereum or Cosmos) but reports to Sifchain with considerable delay, then Sifchain may reduce or cancel the bounty.
- Users who violate the rules of participation will not receive bug bounty payouts and may be temporarily suspended or banned from the bug bounty program.
For more information check Sifchain bounty program policy at ImmuneFi