Responsible Disclosure

RAX Protocol is committed to the responsible disclosure and remediation of security vulnerabilities.

Scope

Responsible disclosure applies to vulnerabilities in RAX Protocol smart contracts, the vault and strategy adapter system, API and data handling, allocation and risk engine logic, and user-facing applications.

Issues affecting external protocols (Aave, Compound, etc.) should be reported to their respective maintainers.

How to Report

If you believe you have identified a security vulnerability, please report it privately. Reports should include a clear description, steps to reproduce, potential impact assessment, and any relevant proof of concept.

Do not publicly disclose vulnerabilities before remediation or coordination.

Process

Upon receiving a report, RAX will acknowledge receipt, assess severity and impact, work to validate and remediate, and coordinate disclosure timing. All reports are handled promptly.

Bug Bounty

A formal bug bounty program may be introduced in the future. Until then, responsible disclosure is encouraged and recognition may be provided on a case-by-case basis.