Program status
A formal bug bounty program with tiered rewards is being finalized. In the meantime, please report any security issues directly to us.
How to report
If you discover a potential vulnerability:
Email: security@varla.xyz
What to include:
- Description of the issue
- Steps to reproduce
- Potential impact assessment
- Your wallet address (for bounty payment when program launches)
Responsible disclosure
We ask that you:
- Do not exploit any vulnerabilities on mainnet
- Do not publicly disclose the issue until we’ve had time to address it
- Do give us reasonable time to respond (typically 48 hours for initial acknowledgment)
- Do work with us to understand and resolve the issue
Scope (preview)
When the formal program launches, we expect the following to be in scope:
| In scope | Out of scope |
|---|
| VarlaCore | Test/mock contracts |
| VarlaPool | Third-party dependencies |
| VarlaOracle | Frontend/UI issues |
| VarlaLiquidator* | Already known issues |
| VarlaInterestRateStrategy | Theoretical attacks without proof |
| VarlaAccessManager | |
Severity levels (preview)
| Severity | Description | Expected reward |
|---|
| Critical | Direct loss of user funds | TBD |
| High | Significant risk to funds or protocol operation | TBD |
| Medium | Limited risk; requires specific conditions | TBD |
| Low | Minor issues; no direct fund risk | TBD |
Acknowledgments
We will recognize security researchers who responsibly disclose vulnerabilities (with their permission).
No researchers have been acknowledged yet.
