Vulnerability Disclosure Policy
Effective Date: May 2026 Version: 1.0
VIRTUS Protocol is built on transparency and trust. All smart contracts are immutable, publicly verified, and open for anyone to read, audit, and test. We have nothing to hide.
If you find a vulnerability — we want to know. Security and reputation matter equally — that is why everything is open and honest. Report it to us, we will investigate, fix it, and be genuinely grateful. That is the entire point of this policy.
We do not offer monetary rewards, but we deeply respect the work of security researchers and will recognize anyone who helps make VIRTUS safer.
No monetary rewards are offered. Valid findings will be acknowledged and credited with the researcher's consent.
How to Report
Email: VIRTUSplatform@proton.me
Subject: [SECURITY] Brief description
Discord: https://discord.gg/G4egFSGBYg
Include in your report:
| Field | Description |
|---|---|
| Affected component | Contract address, URL, or endpoint |
| Description | What the vulnerability is and how it works |
| Proof of concept | Steps to reproduce (required for smart contract reports) |
| Impact | What an attacker could achieve |
| Severity | Your assessment: Critical / High / Medium / Low |
Process
We will acknowledge your report, investigate, and keep you informed. Critical and high severity findings affecting user security are treated as immediate priority — we act as fast as possible. Lower severity issues are addressed in order of risk. Public disclosure is coordinated with the reporter after the fix is in place.
Recognition
No monetary rewards are offered. Valid reports from researchers who consent to recognition may receive:
- Listing in the Security Hall of Fame on this documentation site
- Public acknowledgement on X or Discord
Recognition is only with your explicit consent. Anonymity is respected by default — your identity will not be disclosed without your permission.
No Rewards Disclaimer
VIRTUS Protocol does not operate a paid bug bounty program. No payment is guaranteed or implied. If a paid program is launched in the future, reports submitted under this Policy will not be eligible for retroactive rewards.
Last updated: May 2026 — Version 1.1
© 2026 VIRTUS Protocol. All rights reserved.