Skip to main content
Ensuring the safety of our open-source explorer platform is a top priority, and we greatly appreciate the crucial role security researchers play in contributing to open source. Should you identify a possible security vulnerability within our platform, we invite you to share your findings.

How to report a security vulnerability

Send us an email with the information below. We ask that you please keep your findings confidential during the reporting process. We will get back to you if we determine the issue is a vulnerability and discuss potential next steps and compensation. We may patch the vulnerability prior to our response to you, and we will asses the risk level on a case-by-case basis.
We will only get back to you if we determine the issue is a real security risk. Please do not submit spam reports as this takes away valuable time from our open-source development team.
  1. Description of the bug/vulnerability Clearly describe the vulnerability you’ve discovered.
  2. Steps to reproduce
    Outline the steps needed to replicate the vulnerability.
  3. Impact analysis
    Assess the potential impact of the vulnerability on users, developers, and the organization.
  4. Code fix (optional)
    If possible and appropriate, you may include a suggested code fix for the vulnerability.
  5. Type of vulnerability
    Choose a label that best fits the category of the bug for classification purposes.
  6. Additional Context
    Provide any additional information that could help in understanding and resolving the issue.
  7. Email your report
    Email your report to [email protected]
Information is also available on the SECURITY page of our Github Repo.

Security Considerations

The following items are considered high priority:
  • Business logic bugs or problems
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Sensitive information leaks
  • Server-Side Request Forgery (SSRF)
  • Other vulnerability with a clear potential loss

Out of Scope Items

Unless presenting a serious business risk (at our discretion), the following are typically not considered security issues.
  • Minor visual bugs, spelling errors, etc.
  • Social engineering tactics (e.g., phishing)
  • Issues in applications or systems not listed in the scope
  • UI/UX bugs, data entry errors, and typos
  • Network level Denial of Service (DoS/DDoS) vulnerabilities
  • Certificate/TLS/SSL issues
  • DNS configuration problems
  • Server configuration issues (open ports, TLS configurations, etc.)
  • Spam or social engineering techniques
  • Security flaws in third-party apps or services
  • Non-impactful XSS exploits
  • CSRF-XSS issues related to login/logout
  • Issues related to https/ssl or server-info disclosure
  • Mixed Content Scripts
  • Brute Force attacks
  • General best practices concerns
  • Recently disclosed 0day vulnerabilities
  • Username/email enumeration via error messages
  • Missing HTTP security headers
  • Weak password policies
  • HTML injection

🐐 Security GOATs

Thank you for your help keeping vital public infrastructure like block explorers safe and secure!