The Perpetual Organization Protocol (POP) is a production smart-contract system used by real organizations with real treasuries. Responsible disclosure is essential. Please follow the process below before any public discussion of a vulnerability.
Email hudson@poa.community with the subject line [POP SECURITY] and a clear description of the issue. If you would prefer encrypted communication, request a PGP key in your initial email and we will provide one.
In your report, please include:
- Affected contract(s) and file path(s) under
src/(and the commit SHA you tested against). - A reproduction or proof-of-concept (Foundry test preferred), or, if PoC is impractical, a detailed walkthrough of the attack steps.
- The suspected impact (funds at risk, governance bypass, denial of service, etc.).
- Any relevant on-chain transactions, addresses, or organizations that demonstrate the issue.
- Whether the issue is already publicly known.
Please do not open a public GitHub issue, post in Discord, or discuss on social media until we have coordinated disclosure.
| Stage | Target timeline |
|---|---|
| Acknowledgement of report | Within 48 hours |
| Initial triage and severity assessment | Within 5 business days |
| Fix and patched release for critical/high issues | As fast as practicable; typically within 14 days |
| Public disclosure | Coordinated with the reporter after the fix has shipped to all affected networks |
We will keep you informed throughout. If you do not receive an acknowledgement within 48 hours, please follow up; email is occasionally unreliable.
In scope:
- All contracts under
src/, includingsrc/libs/,src/factories/,src/crosschain/,src/lens/,src/cashout/. - The deployment scripts under
script/when relevant to a privileged or production deployment path. - Cross-chain message handling between
PoaManagerHubandPoaManagerSatellite.
Out of scope:
- Tests in
test/, helper scripts inscripts/, and the auto-generated layout snapshots underupgrades/. - Third-party dependencies. Please report directly to the upstream project:
- OpenZeppelin contracts → openzeppelin-contracts
- Hats Protocol → hats-protocol
- forge-std → forge-std
- Solady → solady
- Hyperlane → hyperlane-monorepo
- Issues in poa-box/subgraph-pop, poa-box/Poa-frontend, or poa-box/poa-cli. File those directly in the relevant repo (or use the same email if it's a coordinated cross-repo issue).
- Known-as-designed behaviors:
ParticipationTokenreverts ontransfer/transferFrom; non-transferability is intentional.Executorownership is renounced after deployment; the only authorized caller is the configured voting contract.SwitchableBeacon.renounceOwnership()reverts; losing ownership would brick the beacon.- The optimizer is disabled in the default Foundry profile (see
foundry.tomlfor the rationale).
There is currently no formal bounty program. We do recognize and credit researchers who report valid vulnerabilities, and significant findings may be eligible for a discretionary award funded from the protocol's solidarity fund. Reach out before publishing your work and we will discuss in good faith.
Researchers who have responsibly disclosed valid vulnerabilities will be credited here (with their consent).
No disclosures yet.
For non-security questions, see CONTRIBUTING.md and the community channels listed in the README.