Do NOT open public GitHub issues for security bugs.
Instead, email security@wraith.dev with:
- A description of the issue and its impact
- Steps to reproduce, ideally with a minimal proof-of-concept
- Your suggested fix (optional, but appreciated)
You'll get an acknowledgement within 48 hours. We aim to:
- Confirm the issue or close as not-a-bug within 5 business days
- Land a fix within 30 days for high-severity issues
- Land a fix within 90 days for everything else
If you don't hear back within 5 business days, ping @nutria on X.
In scope:
- The SDK in this repo (
@wraith/sdk) - The on-chain Anchor program (private repo, but disclosures honored)
- The indexer at
indexer.wraith.dev - The dashboard at
wraithapp.vercel.app
Out of scope:
- Theoretical attacks requiring a compromised validator multisig
- Social-engineering attacks on the team
- Denial-of-service against
indexer.wraith.dev(we run it stateless behind a CDN — there's no realistic DoS payoff)
We run a bug bounty with a $250k pool, structured by severity:
| Severity | Range |
|---|---|
| Critical (loss of funds, signing-key compromise) | $50k–$100k |
| High (slashing bypass, spoofed proofs) | $10k–$25k |
| Medium (privilege escalation, leaked metadata) | $1k–$5k |
| Low (minor info leaks) | $250–$1k |
Payouts in USDC on Solana. Discretionary; we'll always explain our reasoning.
- T+0: report received
- T+5: triage complete
- T+30 to T+90: fix landed in main + deployed
- T+90 from fix: public disclosure with full credit to the reporter (unless they prefer anonymity)
For sensitive reports, encrypt to:
https://wraith.dev/.well-known/security.txt