Reports should be submitted via email to [email protected]. Reports may be submitted anonymously and/or encrypted per instructions below.
All bug reports must be fixed and paid BEFORE being published.
Whitehats may NOT publish information about reports rejected as being a duplicate or known issue.
Whitehats may NOT publish information during the mediation process.
Bug report intellectual property remains with the whitehat. Right of publication, however, is determined by whichever publication category the project chooses.
Astaria will investigate legitimate reports and make every effort to quickly resolve any vulnerability. Please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
Note that Astaria requires notice prior to publishing any findings:
Whitehats may publish information about their fixes and paid bug reports provided that they give projects 21 days to review and provide input about the publication in the bug report submission thread before they publish.
Whitehats do NOT need to provide notice prior to publishing information about payment amount, severity, or high-level classification of the bug type (e.g. reentrancy), as long as they do not mention or indicate the project to which it was reported.
The notice requirement does NOT apply to Whitehats publishing information about reports that have not been resolved within 90 days of escalation, unless a mediation process is ongoing. In those instances, the Whitehat may disclose information pertaining to that bug report without restriction.