# Security Policy - Responsible Disclosure We are currently actively working with [Immunefi](https://immunefi.com/) to come up with a comprehensive bug bounty program. ## Reporting a Vulnerability We take security at [Virtuals Protocol](https://app.virtuals.io/) seriously. We have paid out over $30,000 in bounties (as of 5 Aug 2025), and we thank the community of security researchers reporting bugs responsibly to us. If you believe you have found a security vulnerability, please report it to us by sending an email to: with: * A detailed description of the vulnerability * Steps to reproduce * Potential impact of the vulnerability * Any possible methods to mitigate that you have identified What happens next? * An initial response in **24 hours** to acknowledge that we have received your report * Updates are provided every 3 business days about progress * Resolution no later than 15 days for critical issues * We will coordinate public disclosure timing with you Please do not blog/post on X/etc. until *after* we have fixed the issue, and coordinated public disclosure with you. ## What is in scope Everything the Virtuals Protocol touches, is in scope. This includes, but is not limited to: * the smart contract * our SDKs * production ready code in our repos, e.g. [Virtuals Protocol](https://github.com/Virtual-Protocol), [G.A.M.E](https://github.com/game-by-virtuals) ## Recognition We recognize security researchers who help improve the security of our critical infrastructure. Contributors are: * Credited in security acknowledgements * Paid a bounty for finding security issues How are bounties determined? * Quality of description: provide a well-written submission * Reproducibility: please include a proof of concept (POC) to ensure that we can repeat this, and you can be rewarded. Code, scripts, and details matter! The easier to reproduce, the better the reward. * Quality of fix: you will get a higher reward if you also include a fix, thus easing our engineering burden. With all that, we use the [CVSS Score](https://nvd.nist.gov/vuln-metrics/cvss) to come up with a fair payment. ## Contact * Security issues: