# Vulnerability Disclosure

BlockATM values smart contract and system security, we encourage responsible vulnerability disclosure.

## Disclosure Principles

We follow **responsible vulnerability disclosure** principles:

1. **Discoverer**: Privately report vulnerability to BlockATM
2. **BlockATM**: Verify and fix vulnerability
3. **Coordinate**: Coordinate disclosure timing with discoverer
4. **Public**: Disclose publicly after fix

***

## Reporting Vulnerabilities

### Reporting Channels

If you discover security vulnerabilities in BlockATM, please report through:

| Channel  | Contact                 | Response Time   |
| -------- | ----------------------- | --------------- |
| Email    | <john.feng@chixi88.com> | Within 24 hours |
| Telegram | Passto\_john            | Within 12 hours |

{% hint style="warning" %}
**Important**:

* Do not publicly disclose vulnerability until we fix it
* Do not exploit vulnerability for testing
* Do not access data that does not belong to you
  {% endhint %}

### Report Content

A complete vulnerability report should include:

#### Required Information

```
1. Vulnerability type
   - [ ] Smart contract vulnerability
   - [ ] API security vulnerability
   - [ ] Frontend XSS/CSRF
   - [ ] Authentication/authorization issue
   - [ ] Other (please specify)

2. Vulnerability description
   Clearly describe the nature and impact of vulnerability

3. Reproduction steps
   Detailed steps to help us quickly reproduce the problem

4. Impact assessment
   - Systems that may be affected
   - Potential financial risk
   - Scope of affected users

5. Your contact
   - Name/nickname
   - Email
   - Telegram (optional)
```

#### Optional Information

* Proof of concept code (PoC)
* Screenshots or screen recording
* Fix suggestions
* Related logs or transaction hashes

### Report Template

```markdown
# Security Vulnerability Report

## Summary
[Describe vulnerability in one or two sentences]

## Vulnerability Type
[Select from above types]

## Detailed Description
[Detailed description of vulnerability]

## Reproduction Steps
1. Step one
2. Step two
3. ...

## Impact Assessment
- Affected systems:
- Financial risk:
- Affected users:

## Fix Suggestions
[If you have suggestions, please provide]

## Contact
- Name:
- Email:
- Telegram:
```

***

## Disclosure Process

### Phase 1: Report Receipt (0-24 hours)

```
1. Discoverer submits report
2. BlockATM security team confirms receipt
3. Preliminary assessment of vulnerability severity
4. Assign fix responsible person
```

**Discoverer will receive**:

* Report receipt confirmation
* Vulnerability ID number
* Estimated fix time

### Phase 2: Verification and Fix (1-7 days)

```
1. Technical team verifies vulnerability
2. Assess impact scope
3. Develop fix plan
4. Internal testing of fix
```

**Discoverer will receive**:

* Verification result
* Fix progress update
* Estimated public disclosure time

### Phase 3: Fix Deployment (7-14 days)

```
1. Deploy to test environment
2. Comprehensive testing
3. Deploy to production
4. Monitor running status
```

**Discoverer will receive**:

* Fix completion notification
* Public disclosure plan

### Phase 4: Public Disclosure (14-30 days)

```
1. Prepare security bulletin
2. Coordinate content with discoverer
3. Publish security bulletin
4. Thank discoverer for contribution
```

***

## Vulnerability Classification

We classify vulnerabilities according to CVSS standards:

### 🔴 Critical

**Score**: 9.0 - 10.0

**Characteristics**:

* Can directly steal funds
* Unauthorized access to sensitive data
* Affects all users

**Response Time**: Within 24 hours

**Examples**:

* Smart contract reentrancy vulnerability
* Private key leak
* Signature verification bypass

### 🟠 High

**Score**: 7.0 - 8.9

**Characteristics**:

* Requires specific conditions to exploit
* Affects some users
* May lead to financial loss

**Response Time**: Within 48 hours

**Examples**:

* Authorization bypass
* Replay attack
* Logic vulnerability

### 🟡 Medium

**Score**: 4.0 - 6.9

**Characteristics**:

* Higher difficulty to exploit
* Limited impact
* Will not directly lose funds

**Response Time**: Within 7 days

**Examples**:

* XSS cross-site scripting
* CSRF cross-site request forgery
* Information disclosure

### 🟢 Low

**Score**: 0 - 3.9

**Characteristics**:

* Very small impact
* Only affects user experience
* No security risk

**Response Time**: Within 30 days

**Examples**:

* Clickjacking
* Insecure third-party dependency
* Documentation error

***

## Reward Program

We provide rewards for responsible vulnerability disclosure:

### Reward Standards

| Severity | Reward Range     | Form                 |
| -------- | ---------------- | -------------------- |
| Critical | $5,000 - $50,000 | USDT + Certificate   |
| High     | $1,000 - $5,000  | USDT + Certificate   |
| Medium   | $100 - $1,000    | USDT + Certificate   |
| Low      | $0 - $100        | Certificate + Thanks |

### Reward Conditions

To receive reward:

* ✅ First to report the vulnerability
* ✅ Provide sufficient reproduction information
* ✅ Follow responsible disclosure principles
* ✅ Do not publicly disclose vulnerability details until fixed

### Cases Without Reward

* ❌ Publicly disclosed vulnerability
* ❌ Exploited vulnerability for testing
* ❌ Threatened to publicly disclose for reward
* ❌ Violated responsible disclosure principles

***

## Security Research Guide

### ✅ Allowed Research Activities

* Test smart contracts on testnet
* Analyze publicly available smart contract code
* Test API interface security
* Submit vulnerability reports

### ❌ Prohibited Activities

* Attack production environment
* Access other users' data
* Test operations that may cause financial loss
* Conduct DDoS attacks
* Social engineering attacks

### Test Environment

We provide test environment for security research:

```
Testnet environment:
- URL: https://backstage-b2b-pre.ufcfan.org
- Test tokens: Can be obtained from faucet
- Smart contracts: Test contracts deployed
```

***

## Historical Vulnerability Disclosure

### 2025 Disclosure

#### \[CVE-2025-XXXX] Reentrancy Vulnerability Fix

**Disclosure Date**: 2025-03-15

**Severity**: Critical

**Description**: Potential reentrancy vulnerability risk found in V2.1.0 version.

**Affected Versions**: V2.0.0 - V2.1.0

**Fixed Version**: V2.1.1

**Thanks**: @security\_researcher

[View detailed announcement](https://github.com/BlockATMOnLine/docs/blob/main_en/changelog/v2.1.1.md)

***

## FAQ

### Q: Can I publicly test discovered vulnerabilities?

A: No. Responsible disclosure requires you to first report privately to us, giving us time to fix.

### Q: How long to get reply?

A:

* Critical/High: 24-48 hours
* Medium: 7 days
* Low: 30 days

### Q: Can I report anonymously?

A: Yes. But we prefer you leave contact information so we can communicate and distribute rewards.

### Q: How are rewards distributed?

A: Rewards are distributed in USDT to your specified wallet address.

### Q: Must I publicly disclose after vulnerability is fixed?

A: We encourage public disclosure but respect your choice. We will publish security bulletin and thank you.

***

## Contact Us

### Security Team

* 💬 Telegram: Passto\_john
* 📧 Email: <john.feng@chixi88.com>

### PGP Key

For encrypted communication, please use our PGP public key:

```
-----BEGIN PGP PUBLIC KEY BLOCK-----

[PGP Public Key]

-----END PGP PUBLIC KEY BLOCK-----
```

Fingerprint: `XXXX XXXX XXXX XXXX XXXX`

***

## Update Record

| Version | Date       | Update Content              |
| ------- | ---------- | --------------------------- |
| v1.0    | 2025-01-01 | Initial version             |
| v1.1    | 2025-06-01 | Added reward program        |
| v2.0    | 2026-01-01 | Improved disclosure process |

***

## Next Steps

* [Contract audit report →](/security/audit-report.md)
* [Security best practices →](/security/best-practices.md)
* [Self-custody description →](/security/self-custody.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.blockatm.net/security/vulnerability-report.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.