# Security Policy - Responsible Disclosure We are currently actively working with [Immunefi](https://immunefi.com/) to come up with a comprehensive bug bounty program. ## Reporting a Vulnerability We take security at [Virtuals Protocol](https://app.virtuals.io/) seriously. We have paid out over $30,000 in bounties (as of 5 Aug 2025), and we thank the community of security researchers reporting bugs responsibly to us. If you believe you have found a security vulnerability, please report it to us by sending an email to: with: * A detailed description of the vulnerability * Steps to reproduce * Potential impact of the vulnerability * Any possible methods to mitigate that you have identified What happens next? * An initial response in **24 hours** to acknowledge that we have received your report * Updates are provided every 3 business days about progress * Resolution no later than 15 days for critical issues * We will coordinate public disclosure timing with you Please do not blog/post on X/etc. until *after* we have fixed the issue, and coordinated public disclosure with you. ## What is in scope Everything the Virtuals Protocol touches, is in scope. This includes, but is not limited to: * the smart contract * our SDKs * production ready code in our repos, e.g. [Virtuals Protocol](https://github.com/Virtual-Protocol), [G.A.M.E](https://github.com/game-by-virtuals) ## Recognition We recognize security researchers who help improve the security of our critical infrastructure. Contributors are: * Credited in security acknowledgements * Paid a bounty for finding security issues How are bounties determined? * Quality of description: provide a well-written submission * Reproducibility: please include a proof of concept (POC) to ensure that we can repeat this, and you can be rewarded. Code, scripts, and details matter! The easier to reproduce, the better the reward. * Quality of fix: you will get a higher reward if you also include a fix, thus easing our engineering burden. With all that, we use the [CVSS Score](https://nvd.nist.gov/vuln-metrics/cvss) to come up with a fair payment. ## Contact * Security issues: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://whitepaper.virtuals.io/info-hub/security/security-policy-responsible-disclosure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.