← Back to App
EtaFinance Security Policy & Vulnerability Disclosure
Effective Date: September 3, 2025
Last Updated: September 3, 2025
Security is critical to EtaFinance's mission of providing safe, trustless decentralized
exchange services. We operate under a non-custodial model - we never hold user funds - but
we recognize that vulnerabilities in smart contracts, front-end code, or infrastructure can
impact users and the broader ecosystem.
This policy outlines how we approach security and how security researchers can responsibly
disclose potential issues.
1. Security Commitment
We are committed to:
- Deploying smart contracts that have been audited by reputable third parties
- Monitoring on-chain activity and system performance for anomalies
- Applying timely patches and upgrades when vulnerabilities are discovered
- Maintaining a collaborative relationship with the security research community
2. Scope
This policy covers:
- EtaFinance smart contracts deployed on supported blockchains
- The EtaFinance web application and associated APIs
-
Infrastructure used to deliver the Application (e.g., hosting, DNS, front-end code)
Out of scope:
- Attacks requiring physical access to our offices or team members
- Social engineering of EtaFinance staff or users
-
Third-party platforms or services we integrate with (e.g., wallet providers) - those
should be reported directly to the third party
3. Reporting a Vulnerability
If you discover a potential vulnerability, please:
Email: [email protected]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any proof-of-concept code or transaction hashes
Use encrypted email (PGP) if your report contains sensitive exploit
details
4. Responsible Disclosure Guidelines
We ask that you:
-
Avoid exploiting the vulnerability beyond what is necessary to prove its existence
-
Do not publicly disclose the vulnerability until we have confirmed and mitigated it
- Do not access, modify, or delete any user data
- Comply with applicable laws when testing or reporting
5. Our Response Process
When you submit a vulnerability report, we will:
- Acknowledge receipt within 72 hours
- Provide regular status updates until the issue is resolved
- Aim to resolve critical vulnerabilities within 14 days of confirmation
- Credit you (if desired) in our public acknowledgments after resolution
6. Safe Harbor
If you follow this policy in good faith when reporting a vulnerability, we will:
- Not initiate legal action against you for your research
- Consider your actions authorized under applicable anti-hacking laws
- Work with you to understand and address the issue
7. Optional Bug Bounty
While we do not yet operate a formal bug bounty program, we may offer good-faith rewards
for high-impact findings based on severity, exploitability, and potential user impact.