Security at DeFi Intel — responsible disclosure
If you have found a security vulnerability in DeFi Intel — the website, our subdomains, the public API once GA, or any service we operate — we want to hear about it. This page is the canonical place to start. We acknowledge reports within 24 hours, triage within 72 hours, and operate under a standard 90-day coordinated-disclosure timeline. Good-faith researchers are protected by the safe-harbor terms below. Our machine-readable contact card lives at /.well-known/security.txt per RFC 9116.
Reporting a vulnerability
Email [email protected]
PGP key 0xPLACEHOLDER PGP FINGERPRINT — full public key at /.well-known/pgp-key.asc (placeholder until publication)
Encrypted email Strongly preferred for any report rated High or Critical.
RFC 9116 /.well-known/security.txt
Acknowledgement SLA 24 hours from receipt
When you report, please include: a clear description of the vulnerability, reproduction steps (curl invocation, browser screenshot, video, or proof-of-concept code), the affected URL or endpoint, your assessment of severity (Critical / High / Medium / Low), and a name or handle you'd like credited in our Hall of Fame (or "anonymous" if you prefer).
Scope
In scope:
- defi-intel.com and all subdomains (www, api, embed, research, etc.)
- Cloudflare Pages production deployment of the static site (1,099+ pages)
- The data API at /api/ once it transitions from preview to GA
- JavaScript bundles served from defi-intel.com (compiled React app, service worker, embed widgets)
- The newsletter and contact-form handler endpoints
- Authentication / billing flows when launched (currently pre-GA)
Out of scope:
- Third-party services we consume (CoinGecko, DefiLlama, Etherscan, Cloudflare). Report these to the upstream vendor.
- Vulnerabilities in third-party fonts (Google Fonts), CDNs we do not control, or browser-vendor issues.
- Self-XSS, clickjacking on pages without sensitive actions, missing security headers on static pages with no authenticated state.
- Username enumeration on public-by-design endpoints (the entity directory is intentionally crawlable).
- Theoretical CSRF on logout / GET-only endpoints with no state change.
- Outdated software / library versions without a demonstrated exploitable impact.
- Best-practice recommendations without a working PoC (we welcome these via [email protected] but they are not eligible for bounty).
Safe harbor
DeFi Intel will not pursue legal action, file claims, or engage in retaliation against security researchers who:
(1) make a good-faith effort to follow this policy, (2) avoid violating user privacy, destroying data, or interrupting service, (3) only interact with accounts they own or with explicit permission of the account holder, (4) do not exfiltrate more data than necessary to demonstrate the vulnerability, (5) keep the vulnerability confidential between report and public disclosure, and (6) do not engage in extortion.
If a third party brings legal action against a researcher who complied with this policy, we will make it known publicly that the researcher was operating in good faith.
If you are uncertain whether a specific test would violate this policy, ask first at [email protected]. We respond within one business day.
Response SLAs
| Stage | Target |
|---|---|
| Initial acknowledgement | 24 hours |
| Triage and severity assignment | 72 hours |
| Fix — Critical | 7 days |
| Fix — High | 30 days |
| Fix — Medium | 90 days |
| Fix — Low | Best effort, scheduled in roadmap |
| Public disclosure | 90 days from triage, or sooner if mutually agreed |
Severity reference
- Critical — Remote code execution on a production host, full database dump, mass account takeover, full bypass of the data-licensing paywall, supply-chain compromise of our build pipeline.
- High — Stored XSS on a page with authenticated state, IDOR on Pro / Enterprise endpoints, server-side request forgery against internal infra, leak of un-published research.
- Medium — Reflected XSS on public pages, CSRF on state-changing endpoints, rate-limit bypass enabling DoS, mis-configured CORS exposing private endpoints.
- Low — Information disclosure of public-by-design data, header weaknesses without exploitable impact, open redirect on a parameter that does not chain to a higher-severity issue.
Bug bounty (pre-launch)
The bounty programme is currently pre-launch. We accept and triage reports today, but monetary payouts are not yet active. Reports filed during pre-launch will be retroactively eligible for credit in the Hall of Fame and for first-priority consideration when the programme activates at GA.
Initial bounty ranges (target activation: GA cutover, expected late 2026):
| Severity | Range (USD) |
|---|---|
| Critical | $2,500 – $5,000 |
| High | $1,000 – $2,500 |
| Medium | $250 – $1,000 |
| Low | $100 – $250 |
Bounty amounts are at our discretion and depend on impact, quality of the report, and whether a working PoC was provided. Duplicates are not paid. The first valid report gets the bounty.
Hall of Fame
Researchers who report a verified vulnerability and follow this policy are credited here, with a link of their choice (Twitter, GitHub, personal site, or anonymous). Credits are added within 7 days of fix.
- Awaiting first valid report — your name could be here.
Out-of-scope research methods
The following are explicitly out of scope and will not receive credit, bounty or safe-harbor protection:
- Social engineering of DeFi Intel staff, contractors, or vendors.
- Physical attacks against offices, residences, hardware or infrastructure.
- Denial-of-service testing against production beyond rate-limit probing of public endpoints (any sustained DoS is out of scope).
- Spam, phishing, or any test that targets real users without their consent.
- Automated scanning that generates more than 5 requests per second per endpoint without prior coordination.
- Compromising third-party accounts to demonstrate an attack against DeFi Intel.
Coordinated disclosure timeline
We follow a standard 90-day coordinated-disclosure window, measured from triage. The clock can be paused with mutual agreement (typically when a fix requires a major dependency upgrade), and we may request an extension; we will not unilaterally extend past 120 days without strong justification.
You retain the right to publish your findings after the 90-day window, with or without our coordination. We ask only that you give us the chance to ship the fix first; in return we credit your work and link to your write-up.
Cross-links
Built by Round-9 Lane-13 (Trust pages). Last reviewed 2026-05-03.