Legal
Security & Responsible Disclosure
For reporting security vulnerabilities
Last reviewed: 2026-05-08
Contact
- Email: security@ergoplatform.org
- GitHub Security Advisory: Open advisory (preferred for protocol-level issues)
- security.txt: /.well-known/security.txt
Scope
Reports are welcome for issues affecting:
ergoblockchain.org— this website- Ergo node and protocol (github.com/ergoplatform/ergo)
- Official Ergo SDKs (Fleet SDK, Sigma Rust, AppKit)
- Official wallets and bridges
For ecosystem projects (DEXes, dApps, NFT platforms), please report directly to the respective project. Contact information is usually in their GitHub or Discord.
What to Include
- Description of the vulnerability
- Steps to reproduce (proof of concept if possible)
- Impact assessment
- Affected versions / URLs
- Your contact information for follow-up
Responsible Disclosure
We ask that you:
- Give us reasonable time to investigate and remediate before public disclosure (typically 90 days)
- Do not access, modify, or destroy data that does not belong to you
- Do not perform attacks that could degrade service for other users (DoS, spam, social engineering)
- Do not violate laws in any jurisdiction
Out of Scope
- Vulnerabilities in third-party services we link to (report to them directly)
- Best-practice findings without demonstrable impact (e.g., missing security headers without exploitation)
- Phishing campaigns impersonating Ergo brands (report to relevant registrars / hosting providers)
- SPF/DMARC/DKIM completeness (handled by email provider)
Bounties
The Ergo Foundation may award discretionary bounties for high-severity findings. Severity is assessed using CVSS v3.1. There is no guaranteed payout — disclose responsibly because it is the right thing to do.
Acknowledgments
Security researchers who follow this policy are credited (with consent) on Ergo's GitHub Security Advisories page.
Acknowledged Reports
As of 2026-05-08 there are no published advisories on the public list. Coordinated disclosures are handled privately until a fix lands and the reporter consents to publication, at which point they appear on the GitHub Security Advisories page linked above.
When a credit is requested, it will be added to this section as well as to the corresponding advisory.