Dapper Labs Responsible Disclosure Program

Dapper was built from the ground up with security in mind. Our code, infrastructure, and development methodology help us keep our users safe.

We appreciate and encourage the security researcher community to report potential vulnerabilities in our assets.

Guidelines for Responsible Disclosure

If you identify a vulnerability, please notify us using the following guidelines. 
Things To Do:
Things Not To Do:

Assets In Scope

To be eligible for a reward, you may report a vulnerability in one or more of the following Dapper assets: 

Assets Out of Scope

The following assets are excluded from the Responsible Disclosure Program: 

Sensitive Data

In the interests of protecting privacy, we never want to receive reports containing:

Exclusions (Non-Qualifying Vulnerabilities)

The following vulnerabilities are excluded from this program:

Our Commitment To You

Activities conducted in accordance with the Responsible Disclose Program shall be considered authorized, and we will not initiate legal action against you. Dapper reserves all legal rights in the event of noncompliance with this program. 

We will work with you and investigate and resolve vulnerabilities within a reasonable timeframe.

We reserve the right to change the Responsible Disclosure Program at any time.

Rewards

Rewards are based on the severity of the vulnerability. Reward amounts, if any, will be determined by us in our sole discretion. A maximum of $1M of rewards per person or organization shall be paid within any 12 consecutive months based on the reward value at time of payment. Additionally, all bounty rewards are subject to applicable law. 

To qualify for a reward, the vulnerability must fall within our Assets In Scope, comply with our Responsible Disclosure Guidelines, and meet the following criteria:

  1. Previously unknown - When reported, we must not have already known of the issue, either by internal discovery or other report.
  2. Material impact - Demonstrable vulnerability where, if exploited, the vulnerability would materially affect the confidentiality, integrity, or availability of our assets.
  3. Requires action - The vulnerability requires some mitigation.
  4. Your participation is not prohibited by applicable law.

Reporting Vulnerabilities To Us

Please report any vulnerabilities to us at security@dapperlabs.com

If you prefer to encrypt the information you send us please use our PGP key at OpenPGP Key Server.

Please include the following details with your report:

Please respond to any follow-up requests from our team for updates or additional information.