Ctrlk
Play NowBack The Prize PoolSupportTelegram

Security

Report a vulnerability to [email protected].

We acknowledge new reports within 24 hours and follow up with an initial assessment within 72 hours.

What to include

  • A clear description of the issue and the impact you believe it has

  • Steps to reproduce, with code, transactions, or screenshots where useful

  • Affected contracts, endpoints, or product surfaces (URLs, addresses, function names)

  • Any proof-of-concept material

  • Your preferred contact and the name or handle you'd like credited (optional)

If your report is sensitive, encrypt it to the PGP key below before sending.

Scope

In scope

  • The Megapot smart contracts listed in Contract Overview

  • megapot.io, docs.megapot.io, api.megapot.io, and llms.megapot.io

  • Services operated by Megapot Inc. that handle ticket purchases, drawings, payouts, and partner integrations

Out of scope

  • Third-party apps and integrations not operated by Megapot Inc., even when they build on the protocol — see the community builders list for examples

  • Social engineering of staff, players, or partners

  • Denial-of-service testing against production systems

  • Issues that require physical access to a target device, or that depend on already-compromised end-user hardware

  • Reports generated solely by automated scanners with no demonstrated impact

Safe harbor

We will not pursue legal action against researchers who:

  • Act in good faith and follow this policy

  • Avoid privacy violations, data destruction, and any disruption that affects other users

  • Stop at the minimum proof needed to demonstrate the issue

  • Give us a reasonable window to remediate before any public disclosure

PGP key

For encrypted reports, use the Megapot Security Team key.

  • User ID: Megapot Security Team <[email protected]>

  • Fingerprint: 2EF5 AADA 56CE 7BAF 7B8D 7712 0F54 74FE C123 F502

  • Key ID: 0xC123F502

  • Type: RSA 4096, expires 2030-05-19

After your report

We'll keep you in the loop as we triage, reproduce, and patch. If you'd like credit, we'll list you in the release notes for the fix. Bounty eligibility and amounts are decided case by case.

For previously published audit work, see the Audits page.

PreviousHelp & SupportNextTroubleshooting Hardware Wallet Issues

Last updated