If you believe that you have spotted a vulnerability in either the Vega protocol software (node, data node, wallet, etc.) or network or any supporting systems or code used by the project, please submit a bug report by email or the web-form as described below to have this situation resolved as soon as possible.
Vega bug bounties are limited to the Core, Datanode, and all front end dApps including the desktop and hosted wallets.
The vega.xyz website or any bug related to the vega.xyz email domain are out of scope. The program is meant for serious bugs that have significant impact on security. Bugs on the vega.xyz website would only qualify if they demonstrate how to modify website content to replace links in order to for instance; host malicious software on the downloads section of the site, link to different github code repositories, link to impersonator Twitter / Discord accounts from the Community section etc. In particular if any automated scanner reports that there is an issue with vega.xyz then this on its own does not merit a report.
Prevent a potential vulnerability being abused by others:
Please do not share knowledge about the vulnerability with others, until the issue has been fixed or we have worked out some safe and coordinated way of publication with you. Do not abuse the vulnerability. After a vulnerability has been reported, you will be contacted within 2 working days to make arrangements for a reasonable period of recovery, a possible coordinated publication of the vulnerability and reward.
Reward eligibility may be constrained by legal factors (e.g., not being allowed to make payments to certain countries or to transfer assets to anonymous accounts). We will do our best to find a way to reward submitters fairly for their discoveries, but may not be able to under all circumstances. Also, vulnerability abuse or sharing with third parties may disqualify you from any reward payment.
As a decentralized system, we are entirely separate from any validators running the Vega protocol and vulnerabilities relevant to specific validators should be reported to them directly (though feel free to let us know if you think a validator is not responding appropriately). In addition, we have no influence on how the validators (or their cloud providers) might react if you poke their systems, so we cannot help you if you do so in any way that upsets them. For testing your discoveries, using a separate protocol instance that you can run for yourselves is advised. The best way to do this is via the Vega Capsule tool.
If you want to send an encrypted message to security@vegaprotocol.io, you can use our PGP key, which is detailed below.
For anonymous submissions, you can use the following form:
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZJBtihYJKwYBBAHaRw8BAQdAnoV3CXhVkzH4SWA9C9t5kQOniW3RLSpYMGKa 4v4TqjO1AVVWZWdhUmVwb3J0IChWZWdhLVByb3RvY29sIFNlY3VyaXR5IElzc3Vl IFJlcG9ydGluZyBrZXkuIFRoaXMga2V5IGlzIG9ubHkgdXNlZCB0byBhbGxvdyBm b3IgZW5jcnlwdGVkIGNvbW11bmljYXRpb24gb24gc2VjdXJpdHkgaXNzdWVzIHdp dGggdGhlIHRlYW0sIGFuZCBpcyBuZXZlciB1c2VkIHRvIHNpZ24gYW55dGhpbmcg bWVhbmluZ2Z1bC4gSXQgYWxzbyBtYXkgYmUgcmV2b2tlZCBhdCBhbnkgdGltZTsg cGxlYWUgY2hlY2sgdGhlIHdlYnNpdGUgYXQgdmVnYS54eXogYXMgdGhlIGF1dGhv cmF0aXZlIHNvdXJjZSBvZiB0aGUgY3VycmVudGx5IHVzZWQga2V5LikgPHNlY3Vy aXR5QHZlZ2EueHl6PoiZBBMWCgBBFiEEDmwoUh14HTF+GTIYbn2QYotPYZMFAmSQ bYoCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQbn2QYotP YZNYIwEA1Qu6MZcb5RqotV8dlodFxp9s1CL5jqHO0mq+yvyyUu8BAP1hKuhdTN35 MmAf5jCXD+kCv9UkBAdkJ3Mux7v4+D8KuDgEZJBtihIKKwYBBAGXVQEFAQEHQGop lH9egLg4MU30OINhdDw1nz1N8/Ocw78a/KNi+mUvAwEIB4h+BBgWCgAmFiEEDmwo Uh14HTF+GTIYbn2QYotPYZMFAmSQbYoCGwwFCQPCZwAACgkQbn2QYotPYZPdgAEA gHy/18LW+Yn//ddY6+2hCGhLzGDh5D5jSoLcD8/UGPoBAJezJQFgQuPZ0buIBrSh UGCir7aOk4/aTC1UAg0+8w8F =KKVZ -----END PGP PUBLIC KEY BLOCK-----