Axodus Dashboard • Security Policy
Last updated April 21 2025
| Component / Branch | Version Range | Status |
|---|---|---|
| Dashboard Front‑end | >= 5.1.0 |
:white_check_mark: Supported |
5.0.x |
:x: End‑of‑life | |
4.0.x |
:white_check_mark: Supported (LTS) | |
< 4.0 |
:x: Unsupported | |
| API / Back‑end | >= 2.0 |
:white_check_mark: |
< 2.0 |
:x: | |
| Smart‑Contracts | v1.x (Aggregator.sol, etc.) |
:white_check_mark: Active |
< 1.0 |
:x: |
Security fixes are back‑ported to the latest minor of each supported major version. Upgrade promptly to remain protected.
We encourage responsible disclosure and will never take legal action against researchers acting in good faith.
| Channel | Use for | How |
|---|---|---|
| Email (preferred) | Any suspected vulnerability | security@axodus.financeEncrypt with our PGP key ( 0xA1X0DUS) |
| Security Form | Low‑sensitivity reports | https://axodus.finance/security/report |
| Bug‑bounty portal | Reward‑eligible issues | https://hackerone.com/axodus |
- Proof‑of‑concept or reproducible steps
- Affected version/commit, environment, network, wallet, etc.
- Impact assessment (data exposure, financial loss, DoS, …)
- Suggested remediation (optional)
| Phase | Timeframe (business days, UTC‑3) |
|---|---|
| Acknowledgement | ≤ 2 days |
| Initial triage & CVSS score | ≤ 5 days |
| Status update cadence | Weekly until resolution |
| Public advisory | ≤ 90 days † |
† We may extend the 90‑day window by agreement when a coordinated fix requires more time.
- Triage team review
- Reproduce, assign CVSS v3.1 base score, label severity.
- Confirm scope (frontend, API, smart‑contract, infra).
- Patch preparation (private branch).
- For smart‑contracts, include full test suite + audit notes.
- For web/API, create regression tests.
- Internal validation (CI + manual).
- Coordinated Release
- Publish fixed versions & advisory (
GHSA‑xxxx). - Credit reporter (opt‑in Hall of Fame) and arrange bounty.
- Publish fixed versions & advisory (
- Back‑porting to supported LTS lines.
- Public disclosure after patch is available or at 90‑day deadline.
| CVSS v3.1 Base | Severity | Typical Action |
|---|---|---|
| ≥ 9.0 | Critical | Immediate out‑of‑band release |
| 7.0 – 8.9 | High | Patch in next security release (≤ 7 days) |
| 4.0 – 6.9 | Medium | Patch in next minor / patch cycle |
| < 4.0 | Low | Document / fix as time permits |
We reference the latest FIRST CVSS v3.1 spec for scoring.
- Hall of Fame – Annual list of top contributors.
- Bug Bounties – Monetary rewards via HackerOne (see portal for scope & payout table).
- Swag – Stickers, T‑shirts, hardware wallets for notable reports.
- UI/UX bugs with no security impact
- Rate‑limiting / anti‑bot bypass with no data exposure
- Self‑XSS in debug consoles
- Vulnerabilities only exploitable on outdated browsers or end‑of‑life dependencies
- Denial‑of‑service that requires > 10 Gbps traffic (unrealistic scale)
We will not pursue civil or criminal action, nor will we initiate a complaint with law enforcement, for accidental, good‑faith violation of this policy. Conditions:
- Do not compromise user data or privacy beyond what is necessary to prove the vulnerability.
- Do not exploit the issue for personal gain.
- Do not publicly disclose before receiving written confirmation that the fix is available or the 90‑day deadline elapses.
- Comply with relevant laws in your jurisdiction.
- Security advisories: https://github.com/mzfshark/axodus/security/advisories
- RSS feed:
https://axodus.finance/security.xml - PGP key & fingerprints: https://axodus.finance/pgp.txt
Thank you for helping keep Axodus and its users safe!