If you believe that you have spotted a vulnerability in either the Vega protocol software (node, data node, wallet, etc.) or network or any supporting systems or code used by the project, please submit a bug report by email or the web-form as described below to have this situation resolved as soon as possible.
Vega bug bounties are limited to the Core, Datanode, and all front end dApps including the desktop and hosted wallets.
The vega.xyz website or any bug related to the vega.xyz email domain are out of scope. The program is meant for serious bugs that have significant impact on security. Bugs on the vega.xyz website would only qualify if they demonstrate how to modify website content to replace links in order to for instance; host malicious software on the downloads section of the site, link to different github code repositories, link to impersonator Twitter / Discord accounts from the Community section etc. In particular if any automated scanner reports that there is an issue with vega.xyz then this on its own does not merit a report.
Prevent a potential vulnerability being abused by others:
Please do not share knowledge about the vulnerability with others, until the issue has been fixed or we have worked out some safe and coordinated way of publication with you. Do not abuse the vulnerability. After a vulnerability has been reported, you will be contacted within 2 working days to make arrangements for a reasonable period of recovery, a possible coordinated publication of the vulnerability and reward.
Reward eligibility may be constrained by legal factors (e.g., not being allowed to make payments to certain countries or to transfer assets to anonymous accounts). We will do our best to find a way to reward submitters fairly for their discoveries, but may not be able to under all circumstances. Also, vulnerability abuse or sharing with third parties may disqualify you from any reward payment.
As a decentralized system, we are entirely separate from any validators running the Vega protocol and vulnerabilities relevant to specific validators should be reported to them directly (though feel free to let us know if you think a validator is not responding appropriately). In addition, we have no influence on how the validators (or their cloud providers) might react if you poke their systems, so we cannot help you if you do so in any way that upsets them. For testing your discoveries, using a separate protocol instance that you can run for yourselves is advised. The best way to do this is via the Vega Capsule tool.
If you want to send an encrypted message to email@example.com, you can use our PGP key, which is detailed below.
For anonymous submissions, you can use the following form:
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEYvJJLRYJKwYBBAHaRw8BAQdArGjKFzbU4zBWL14i6pJ+SPIuaTWHsnGKlZAc moUU1eC1AVlWZWdhU2VjIChWZWdhLVByb3RvY29sIFNlY3VyaXR5IElzc3VlIFJl cG9ydGluZyBrZXkuIFRoaXMga2V5IGlzIG9ubHkgdXNlZCB0byBhbGxvdyBmb3Ig ZW5jcnlwdGVkIGNvbW11bmljYXRpb24gb24gc2VjdXJpdHkgaXNzdWVzIHdpdGgg dGhlIHRlYW0sIGFuZCBpcyBuZXZlciB1c2VkIHRvIHNpZ24gYW55dGhpbmcgbWVh bmluZ2Z1bC4gSXQgYWxzbyBtYXkgYmUgcmV2b2tlZCBhdCBhbnkgdGltZTsgcGxl YWUgY2hlY2sgdGhlIHdlYnNpdGUgYXQgdmVnYS54eXogYXMgdGhlIGF1dGhvcmF0 aXZlIHNvdXJjZSBvZiB0aGUgY3VycmVudGx5IHVzZWQga2V5LikgPHNlY3VyaXR5 QHZlZ2Fwcm90b2NvbC5pbz6ImQQTFgoAQRYhBNGojhbbHCvsk6wBG0wW+PMOscHO BQJi8kktAhsDBQkA7U4ABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEEwW +PMOscHOjWYA/2NY97UmzKXqldAqWM+uECe0nlNnPgYgTtuKhO/Cfw5UAQDT4OJO JVgkBJRhBckQwOj0Tr+m0kGQqlPedCF4YNaJCbg4BGLySS0SCisGAQQBl1UBBQEB B0AKAYD2xBHkbIDtHK3MMhEpcMS+k6/H3I2oZ3Za4aeORQMBCAeIfgQYFgoAJhYh BNGojhbbHCvsk6wBG0wW+PMOscHOBQJi8kktAhsMBQkA7U4AAAoJEEwW+PMOscHO l3MA/RfdkRF+m7+GjeYuj35vYMM79LgfASN2X32twwbAZshoAP916RH5Gfk6ithM ed9HjWXBuqknGbRNrIurDfzcLorYCw== =KhBp -----END PGP PUBLIC KEY BLOCK-----