Last updated: 2026-02-19
RustChain welcomes good-faith security research.
If you act in good faith and follow this policy, Elyan Labs maintainers will not pursue legal action related to your research activities.
Good-faith means:
- avoid privacy violations, data destruction, and service disruption
- do not access, alter, or exfiltrate non-public user data
- do not move funds you do not own
- do not use social engineering, phishing, or physical attacks
- report vulnerabilities responsibly and give maintainers time to fix
Testing conducted in accordance with this policy is authorized by project maintainers. We will not assert anti-hacking claims for good-faith research that follows these rules.
Preferred:
- GitHub Private Vulnerability Reporting (Security Advisories)
Alternative:
- Open a private disclosure request via maintainer contact listed in repository profile
Please include:
- affected component
- clear reproduction steps
- impact assessment
- suggested mitigation if available
In scope:
- consensus and attestation logic
- reward calculation and epoch settlement
- wallet transfer and pending confirmation paths
- API authentication/authorization/rate-limit controls
- bridge and payout-related integrations
Out of scope:
- social engineering
- physical attacks
- denial-of-service against production infrastructure
- reports without reproducible evidence
- acknowledgment: within 48 hours
- initial triage: within 5 business days
- fix/mitigation plan: within 30-45 days
- coordinated public disclosure target: up to 90 days
Bounty rewards are discretionary and severity-based.
- Critical: 2000+ RTC
- High: 800-2000 RTC
- Medium: 300-800 RTC
- Low: 50-300 RTC
Bonuses may be granted for clear reproducibility, exploit reliability, and patch-quality remediation.
- Bounty payouts are offered in project-native tokens unless explicitly stated otherwise.
- No token price, market value, liquidity, convertibility, or future appreciation is guaranteed.
- Participation in this open-source program is not an investment contract and does not create ownership rights.
- Rewards are recognition for accepted security work: respect earned through contribution.
Reports are ineligible for reward if they involve:
- extortion or disclosure threats
- automated spam submissions
- duplicate reports without new technical substance
- exploitation beyond what is required to prove impact
Valid reports may receive:
- RTC bounty payout
- optional Hall of Hunters recognition
- follow-on hardening bounty invitations