At Composable Finance we are always striving towards writing secure and stable code. If you have found a critical bug or a security
vulnerability, you can simply report your findings to us.

When you report a security vulnerability please include:

• Description of the findings
• Platform(operating system, and rust version)
• Reproducible code sample(Make the vulnerability easy to reproduce)
• Type, Severity and impact of Vulnerability
• Name to be credited if the vulnerability makes it to an official vulnerability advisory

The more information you provide the better. We recommend submitting a report where you describe the vulnerability, show us how you found it and provide reproducible code samples. Providing mitigation advice is also recommended.

The report should be submitted to reporting@composable.finance.

We are encouraging responsible disclosure of security vulnerabilities by providing a legal safe harbor. In return, we ask you to not publicly disclose your findings until either 2 weeks of time has passed or after the bugs have been acknowledged and fixed.

What is currently in scope is finding bugs in a our code base running in a local environment. Exploiting production systems is strictly prohibited

Rewards are granted depending on the severity of the vulnerability, ranging from $50 to $30.000, payed out in PICA tokens.