| Version | Supported |
|---|---|
| 1.0.x | ✅ |
If you discover a security vulnerability in BitFlow Finance, please:
- DO NOT open a public issue
- Email security@bitflow.finance (or your contact)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and provide updates every 72 hours.
When using BitFlow Finance:
- Never share private keys - Your keys are your responsibility
- Verify contract addresses - Always double-check contract addresses before interacting
- Start with small amounts - Test with small amounts on testnet first
- Review all transactions - Carefully review transaction details before signing
- Keep software updated - Use the latest version of wallets and browsers
- Use hardware wallets - For large amounts, consider using a hardware wallet
- Beware of phishing - Only use official BitFlow Finance URLs
We offer rewards for responsibly disclosed security vulnerabilities:
| Severity | Reward Range | Examples |
|---|---|---|
| Critical | $1,000 - $5,000 | Fund theft, unauthorized access |
| High | $500 - $1,000 | Logic errors affecting core functionality |
| Medium | $100 - $500 | Information disclosure, DoS vulnerabilities |
| Low | $50 - $100 | Minor issues with limited impact |
In Scope:
- Smart contracts (Clarity code)
- Frontend application
- Backend APIs (if applicable)
Out of Scope:
- Third-party services
- Known issues already reported
- Social engineering attacks
- Physical attacks
To be eligible for a bounty:
- Be the first to report the vulnerability
- Provide sufficient detail to reproduce
- Do not exploit the vulnerability
- Do not disclose publicly until we've had time to fix
- Follow responsible disclosure practices
BitFlow Finance implements multiple security layers:
- Smart Contract Audits - Professional third-party audits
- Test Coverage - Comprehensive unit and integration tests
- Formal Verification - Mathematical proofs of correctness where applicable
- Access Controls - Strict permission management
- Rate Limiting - Protection against abuse
- Monitoring - 24/7 monitoring of contract activity
In the event of a security incident:
- We will investigate immediately
- Affected users will be notified within 24 hours
- We will work with the community to resolve the issue
- A post-mortem will be published after resolution
For security concerns, contact:
- Email: security@bitflow.finance
- PGP Key: [To be added]
We thank the security researchers who help keep BitFlow Finance safe:
- [List of contributors will be maintained here]
Last updated: January 2026