- Encrypted Email: Send an encrypted email to
[email protected]. The public PGP key is available here. - GitHub Private Vulnerability Reporting: Use the Private vulnerability reporting feature on GitHub (see repository settings).
- Form: A short web form is also available at
https://bimex.io/security/report.
- In Scope: The Soroban smart contract, the frontend application, and the indexer service.
- Out of Scope: Rate‑limit tests on the public testnet, the public RPC endpoints, and any third‑party services not maintained by the Bimex team.
- Acknowledgement: < 48 hours.
- Fix: Up to 30 days for high‑severity issues.
Researchers acting in good faith, following this policy, will not be prosecuted for their activities.
We are evaluating a bug‑bounty program (see issue #14 for discussion).
This policy is based on best practices for open‑source projects and complies with GitHub's security guidelines.