> For the complete documentation index, see [llms.txt](https://docs.megapot.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.megapot.io/appendix/security.md).

# Security

Report a vulnerability to [**security@megapot.io**](mailto:security@megapot.io).

We acknowledge new reports within 24 hours and follow up with an initial assessment within 72 hours.

***

## What to include

* A clear description of the issue and the impact you believe it has
* Steps to reproduce, with code, transactions, or screenshots where useful
* Affected contracts, endpoints, or product surfaces (URLs, addresses, function names)
* Any proof-of-concept material
* Your preferred contact and the name or handle you'd like credited (optional)

If your report is sensitive, encrypt it to the PGP key below before sending.

***

## Scope

**In scope**

* The Megapot smart contracts listed in [Contract Overview](/developers/contract-overview.md)
* megapot.io, docs.megapot.io, api.megapot.io, and llms.megapot.io
* Services operated by Megapot Inc. that handle ticket purchases, drawings, payouts, and partner integrations

**Out of scope**

* Third-party apps and integrations not operated by Megapot Inc., even when they build on the protocol — see the [community builders list](/developers/start-here.md#join-a-community-of-builders) for examples
* Social engineering of staff, players, or partners
* Denial-of-service testing against production systems
* Issues that require physical access to a target device, or that depend on already-compromised end-user hardware
* Reports generated solely by automated scanners with no demonstrated impact

***

## Safe harbor

We will not pursue legal action against researchers who:

* Act in good faith and follow this policy
* Avoid privacy violations, data destruction, and any disruption that affects other users
* Stop at the minimum proof needed to demonstrate the issue
* Give us a reasonable window to remediate before any public disclosure

***

## PGP key

For encrypted reports, use the Megapot Security Team key.

* **User ID:** Megapot Security Team <<security@megapot.io>>
* **Fingerprint:** `2EF5 AADA 56CE 7BAF 7B8D 7712 0F54 74FE C123 F502`
* **Key ID:** `0xC123F502`
* **Type:** RSA 4096, expires 2030-05-19

```
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGoMaoMBEADEqV7WXtr8W9bSgfIo5BQaATvJspjEqwUdjb9bPHyEE1f/ei01
Ijqw+XyxorkQ976hE1ScdhPTeP8fI7axGRy0JV3SxlI6GErOjEYrF//rsxl5QiSf
7ukK1YgoRDQTDtVjb67oytRiTBzNO+/KXRIb0fhCz68hJh75uME53NkI5VAH/9/f
ZaLDn8I8fYwoZqsA3AN9tHH/9rcEv4yKpt6Lj4MmGF0IogDJOjlW9+XBHAVKgghZ
3UtMmBLzpazC+dhKY0y84E1mC7dqAVZrgExF0RDhjFi31FarIDZj5v4489CcJgBp
yqrS+6zTjFkdXjWDdgQkn2YcO3XGBch62HPMcopS/1NBOUJ45QUDXwL+FtrPWT0M
xxw+njnokvhpTXRRw6j0CrpiTvO+my70POrgmH1XaDO/dk6wG5mbUflhjNuk1FZG
mfYLJau7LYVWOaACPNxSRTkV8IOrIUCBCl9Zyi8p1iwrHNL61M11QlX9jXKO8C5z
hl7rTdIRYxM3rwUUDORZmaQSV+gGufMIb4jX8YDfzLt7jBDX3YIwqfk1yl3xGV8v
pHkIE7b3GgXtErA6SU+U0FDmjzYxSQrgn9MFOqfhiTlbLs+43om+JpJjgUPEhBSw
17nlaghyfZ8UfkkqNsmsl0Vn9L3NbVHv3BxQcuIgTLvqd+yS8iuB/wzUyQARAQAB
tCtNZWdhcG90IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1lZ2Fwb3QuaW8+iQJU
BBMBCAA+FiEELvWq2lbOe697jXcSD1R0/sEj9QIFAmoMaoMCGwMFCQeGHe0FCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQD1R0/sEj9QLeBA//XJaWv1TtSDKRP69u
fFSsCmkyHfT7ShoXVnu4xOyA/JPfT8Zzx+ZhfVH2DWftBmmkOtFahlvsVkOmJ5KG
IZV+AUcu2c7OijOIZx3Jo1HAsU8erR4mSchGZwYwg0qkCkIOE5civqE1JHrNoROm
5sURLHbCMsJyIh+GVu6fetVo1qpYjmUdNftLUDBvrV/OuOlZYxi8+H+dKFGMzjFE
OxRKwfAFYhl1wush02Kv/BnHRJOfdtm01igHE0/S17PVOFiKp8KKMpT2IbfQbTc5
zjx9KaKJMBTfogJ9WxhSGYBnq0CTq/BbSsbrjWXyOPh8z09EvqQvSl2ps4HjXZr/
BrdgvHQmXLnqAxkKZ9mEJ/1HRUvOz/FEC36E+DOAgAWaeibBUICoH46B9HQOXAEj
LpK3Fq77+USFz6aSDUzQgq3qb7+ep/dln2Ol8dKKJvAFRuCuETuwR8thkqkM2lbU
FwyFFXKoJcWeaYg0EVU5po1eKRx7HtkYe2meqSN9Yr8nv2P4aohLkWB8S8+W3Jq6
9E1LMq/n6v3s9JW0s+SeMlSObq5sStV2P5oEbdfhXmsXRADYi0rmkYTva7OcYEJo
sxhjZPk7maFfU3g8UJyhcU/G6+LrXAUJrhQRd6ZVzQTgZPt9L0d80HVFUREuumzV
pmDDFtXQG9IKAQZT9TypaQorWZe5Ag0EagxqgwEQALnU5h4aEhQFwqziSHbVuROS
aglTqIEvvv2B1nCTeUqlAB1ck+0TYF1VA8LJG9vpvIaLZnd46yzwJW6HzgCF9lJb
fO3be/YXS3/CpLtiwPqIgogRDF+/1hvMHHcupAGOEjMplUcetkXnLA+tpmCwjE+o
EnC5XUelzD4oKU4Xn0PKZmuuDTf/te3vb3OWB4kt7RTx3e0lZY3A8ALnyr3ZQcpF
s80C+sO2+KynMEi3euw021WEODcJwcyF5IWKwESUy0ltK4comhm4EEdmv4/dhDjo
KTaxCk9I7Ao+Ln5Jqg4nlnOU4n5XQq+ED7EepGC9HzNauXdQssBFs8UV3u9ZgbY2
3oE763/X/pWSUM7hkYdC/UnhSUwma0+/GX2t2TKEI7D69+qs/OPAyZ4Bcik1xssg
2iziplxdzLYB/NDHXCFlMjr3BADwubkJoIQ0P5LAi0vzVlrOKyu3zm285ykz7D0b
FuoE6DserOOdZYJ3uSOPbeMyPli2NENuqb5aK3eIojhAzK26dxD2L03Zf/pPhkkb
dr7PLeNHxZa71hx3qxGtHAjFXjjVGh9t/WEkaR8iDkGCRkQaX8TiYPXpbAauPlmy
+7Prwavw8XHWvWyjaIdgXnTS0/Nol3zi6CYbO9z8nteMUEzRqErdZm2CIw87FXwg
kAgnKUUf341wPkiUFHFDABEBAAGJAjwEGAEIACYWIQQu9araVs57r3uNdxIPVHT+
wSP1AgUCagxqgwIbDAUJB4Yd7QAKCRAPVHT+wSP1AvdFD/4poZpkf2LgwuGWuXp7
MYsJAn78nVMtOr8FJLLSuiE378Yy8xaaCOMAlEKQma3hWp5Qt7o2iIVYbS72F6Dk
LkV4pCnq8d6Ngkh21UWqeJnworizsBa5oRhZLC8oGcpTpxkFA3Uh6EvqTcMXKNOO
n+EYwU64q/mYttRWrKLMTrLORpHDjhaeJqjYZ/3o99rkarox+SpoMvm7IhNvVfK6
1+evPlE62sQTtnloA22fuGzwKtTKtmlNzlhCMJ6mSze+8xn3oHaM1iQQvKqn6L3E
Sibc5Vj/23BFHYi8nj22C7hu8iv82zw4EabddhS8TWHYALvbyf9fP2X1dYWdzOeK
9TYeB9UDr4Ysh5PfoVMkzd27F/zdCjz6YW03y3FRKXQsJ0sl89kfdizZBZv1JbCW
tcmUkV/3N8yJ8g9LVuLSKzjLr98NqKPUqSHEZ6X7doHiyd0eyityQjTTSMYvocsq
I0zCev9Cl9BiumWJc7/16AfRD6qbNBDCqhXWVwLEctBXail9FooBx0q8ivH5W7xv
0lPieu5585o/JluuCcQYXvkDAXXA+paZ1hNPNYoWOwm83qnIx2wg5PwzMMf5ugxU
fpINbUTNOjcvovoz/qDxqwmJIw3Q0qzEKxIv7esH8gkmvkuLqN/FS2nNIzOsIY1m
n6I3U3+qqX+w7MjTs5CUtKnpgA==
=22J7
-----END PGP PUBLIC KEY BLOCK-----
```

***

## After your report

We'll keep you in the loop as we triage, reproduce, and patch. If you'd like credit, we'll list you in the release notes for the fix. Bounty eligibility and amounts are decided case by case.

For previously published audit work, see the [Audits](/learn/audits.md) page.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.megapot.io/appendix/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.