Responsible Disclosure Policy

We take security seriously. If you discover a vulnerability, we ask you to report it responsibly so we can fix it before it is exploited.

Contact: security@swapss.lol

Disclosure window

We follow a 90-day coordinated disclosure model. We ask that you give us 90 days from the date of your initial report to investigate and deploy a fix before publishing your findings publicly.

In scope

  • API endpoints (swapss.lol)
  • Web frontend (swapss.lol)
  • Telegram bot
  • On-chain transaction dispatch and wallet mechanics

Out of scope

  • Denial-of-service attacks (network or application layer)
  • Social engineering of staff or users
  • Third-party services or infrastructure we do not control
  • Theoretical vulnerabilities without a working proof-of-concept
  • Issues in dependencies that have already been publicly disclosed and are in our patch backlog

How to report

Send a detailed report to security@swapss.lol. Encrypt your message with our PGP key if the content is sensitive. Include: steps to reproduce, impact assessment, and any supporting evidence (logs, screenshots, proof-of-concept code).

PGP key: Download public key

Good-faith commitment

We will not take legal action against researchers who act in good faith, comply with this policy, and refrain from accessing or modifying user data beyond what is necessary to demonstrate the vulnerability.

What to expect

  • Acknowledgement within 2 business days
  • Status update within 7 business days
  • Coordinated disclosure after the fix is deployed (max 90 days)

Researchers who report valid issues are listed on our Hall of Fame.