Found something? We want to hear it. Calmly, and in private.

What to include

• The affected target: a contract address and chain, a repository, or a URL.
• A clear description of the issue and the impact you believe it has.
• Steps to reproduce, ideally a proof of concept: a script, a failing test, or a transaction sequence.
• Any conditions or assumptions the issue depends on.

What you can expect

• We acknowledge within two business days.
• Once we've reproduced it, you get an honest read on severity.
• We coordinate timing, and we won't push for publication before a fix is realistic.
• Credit if you want it, discretion if you don't.

Good-faith research

Test only against systems you're authorized to test. Don't access or modify data that isn't yours, don't degrade service, and don't hold findings for ransom. Research done in good faith under these terms is welcome, and we'll act in good faith in return. If you're reporting on behalf of a program we support, that program's policy and scope take precedence.