Vulnerability Disclosure Program (VDP) Policy

Introduction

At Blockdaemon, we prioritize the security and privacy of our customers, partners, and systems. We recognize that responsible security research plays a crucial role in identifying and mitigating vulnerabilities before they can be exploited by malicious actors.

This Vulnerability Disclosure Program (VDP) provides guidelines for security researchers and ethical hackers to report security vulnerabilities in our systems safely, ensuring a collaborative and coordinated approach to improving security.

Scope

We encourage responsible reporting of vulnerabilities related to:

  • Public-facing web applications, APIs, and domains owned by Blockdaemon.
  • Officially released iOS and Android mobile applications released by Blockdaemon
  • Publicly infrastructure, such as DNS, email, and authentication systems.
  • Any service explicitly listed in our “In-Scope Assets” section below.

In-Scope Assets to be Tested

  • blockdaemon.com (production web app).
  • api.blockdaemon.com (REST & RPC APIs.
  • Official Blockdaemon mobile apps on iOS and Android.
  • Blockdaemon-managed open source projects on GitHub or GitLab.

Out-of-Scope Assets

  • Internal systems and private environments Social engineering or phising attacks.
  • Denial of Service (DoS/DDoS) testing.
  • Physical security or hardware exploits.
  • Third-party applications not under Blockdaemon’s control.

Safe Harbor Policy

We are committed to working with security researchers in good faith. If you comply with this policy and report vulnerabilities responsibly:

  • We will not pursue legal action under the Computer Fraud and Abuse Act (CFAA) or similar laws. 
  • We will not contact law enforcement unless malicious intent is evident (e.g., extortion, data theft). 
  • We will work with you to validate and resolve the issue. 
  • We’ll recognize your contribution (if requested) in a public acknowledgment or Hall of Fame.

Reporting a Vulnerability

To report a security vulnerability, please email [email protected] with:

  • Summary: Brief description of the vulnerability.
  • Steps to Reproduce: Clear instructions on how to trigger the issue.
  • Impact Analysis: How this vulnerability could be exploited.
  • Proof-of-Concept (PoC): Screenshots, scripts, or videos demonstrating the issue.
  • Affected System(s): Where the vulnerability exists (e.g., api.example.com).
  • Your Contact Info: Name, email, and (optional) social media handle for follow-up.

Our Response Timeline

When you report a vulnerability, here’s what you can expect: 

  • Acknowledgment: Within 3 business days.
  • Initial Triage: Within 7 business days.
  • Fix Development: Based on severity.
  • Researcher Updates: Every 14 days until resolved.
  • Disclosure Coordination: Mutually agreed upon before any public announcement.

Vulnerability Classification & Severity

We use Common Vulnerability Scoring System (CVSS v3.1) to assess the severity of reported vulnerabilities.

  • Critical (9.0–10.0): Remote Code Execution, SQL Injection, Auth Bypass.
  • High (7.0–8.9): Privilege Escalation, XSS leading to Account Takeover.
  • Medium (4.0–6.9): Reflected XSS, IDOR, SSRF (non-sensitive data).
  • Low (0.1–3.9): Clickjacking, missing security headers.

Coordinated Disclosure Policy

  • We request a 90-day disclosure window to resolve issues before public release.
  • If a vulnerability  is addressed sooner, we’ll propose an earlier disclosure window.
  • For critical  risks (e.g., active exploitation), we may expedite resolution and disclosure.

Rewards & Recognition

Blockdaemon’s Vulnerability Disclosure Program (VDP) is not a bug bounty program, and no monetary rewards are offered. However, we welcome responsible vulnerability reports, offer safe harbor for ethical disclosures, and may recognize impactful contributions with public acknowledgment or swag.

Legal Considerations

By submitting a vulnerability report, you agree:

  • You are not violating any applicable laws.
  • You are not exploiting the vulnerability beyond necessary testing.
  • You will not disclose the vulnerability before we resolve it.
  • You will not demand payment or use vulnerability reports for extortion.

Acknowledgment

We sincerely thank the security community for helping protect the Blockdaemon ecosystem. Your responsible disclosures make a meaningful impact!

mpc wallets & vaults
Institutional Vault
Builder Vault
Enterprise KMS
Nodes & APIs
Chain Watch
Wallet Transact
RPC API
Dedicated Nodes
DeFi API
Staking
Staking APIs
Staking App
Restaking
Liquid Staking
Reporting API
Validators
Protocols
Aleo
Algorand
Aptos
Arbitrum
Astar
Audius
Avalanche
Axelar
BNB Chain
BSN
All Protocols
Company
Foundations
About Us
Careers
Partnership Program
Expertise
Security
Infrastructure
Buzz
Blog
Resources
Newsletter
Press
Media Kit
documentation
All Documentation
REST APIs
Institutional Vault
Builder Vault
RPC API
DeFi API
Support
FAQs
Contact Support
Vulnerability Disclosure Program Policy
Terms & Conditions
Cookie Policy
Privacy Policy
Connect with blockdaemon
Newsletter

Sign up for our newsletter to receive the latest news and product updates.

Thanks! Look out for our next Newsletter!
Oops! Something went wrong while submitting the form.