Security & Responsible Disclosure

Contact

• Email: security@ergoplatform.org
• GitHub Security Advisory: Open advisory (preferred for protocol-level issues)
• security.txt: /.well-known/security.txt

Scope

Reports are welcome for issues affecting:

• ergoblockchain.org — this website
• Ergo node and protocol (github.com/ergoplatform/ergo)
• Official Ergo SDKs (Fleet SDK, Sigma Rust, AppKit)
• Official wallets and bridges

For ecosystem projects (DEXes, dApps, NFT platforms), please report directly to the respective project. Contact information is usually in their GitHub or Discord.

What to Include

• Description of the vulnerability
• Steps to reproduce (proof of concept if possible)
• Impact assessment
• Affected versions / URLs
• Your contact information for follow-up

Responsible Disclosure

We ask that you:

• Give us reasonable time to investigate and remediate before public disclosure (typically 90 days)
• Do not access, modify, or destroy data that does not belong to you
• Do not perform attacks that could degrade service for other users (DoS, spam, social engineering)
• Do not violate laws in any jurisdiction

Out of Scope

• Vulnerabilities in third-party services we link to (report to them directly)
• Best-practice findings without demonstrable impact (e.g., missing security headers without exploitation)
• Phishing campaigns impersonating Ergo brands (report to relevant registrars / hosting providers)
• SPF/DMARC/DKIM completeness (handled by email provider)

Bounties

The Ergo Foundation may award discretionary bounties for high-severity findings. Severity is assessed using CVSS v3.1. There is no guaranteed payout — disclose responsibly because it is the right thing to do.

Acknowledgments

Security researchers who follow this policy are credited (with consent) on Ergo's GitHub Security Advisories page.