Security Policy - Responsible Disclosure
We are currently actively working with Immunefi to come up with a comprehensive bug bounty program.
Reporting a Vulnerability
We take security at Virtuals Protocol seriously. We have paid out over $30,000 in bounties (as of 16 January 2025), and we thank the community of security researchers reporting bugs responsibly to us. If you believe you have found a security vulnerability, please report it to us by sending an email to: security@virtuals.io with:
A detailed description of the vulnerability
Steps to reproduce
Potential impact of the vulnerability
Any possible methods to mitigate that you have identified
What happens next?
An initial response in 24 hours to acknowledge that we have received your report
Updates are provided every 3 business days about progress
Resolution no later than 15 days for critical issues
We will coordinate public disclosure timing with you
Please do not blog/post on X/etc. until after we have fixed the issue, and coordinated public disclosure with you.
What is in scope
Everything the Virtuals Protocol touches, is in scope. This includes, but is not limited to:
the smart contract
our SDKs
production ready code in our repos, e.g. Virtuals Protocol, G.A.M.E
Recognition
We recognise security researchers who help improve the security of our critical infrastructure. Contributors are:
Credited in security acknowledgements
Paid a bounty for finding security issues
How are bounties determined?
Quality of description: provide a well-written submission
Reproducibility: please include a proof of concept (POC) to ensure that we can repeat this, and you can be rewarded. Code, scripts, and details matter! The easier to reproduce, the better the reward.
Quality of fix: you will get a higher reward if you also include a fix, thus easing our engineering burden.
With all that, we use the CVSS Score to come up with a fair payment.
Contact
Security issues: security@virtuals.io