Security & Compliance
We follow responsible-disclosure practices and prepare an audit-ready package as part of mainnet graduation.
A machine-readable policy is published per RFC 9116 at
/.well-known/security.txt on every gateway subdomain.
Reporting a vulnerability
Please report privately through one of the following channels:
- Email:
security@mo.fit - GitHub Security Advisories (preferred): open a private advisory in the source repository.
Do not open a public issue, PR, or social post for an unfixed vulnerability, and do not access or destroy data that is not your own. A good report includes the affected component / contract address / domain, impact, and reproduction steps or PoC.
Response timeline
| Stage | Target |
|---|---|
| Acknowledgment | ≤ 48 hours |
| Initial triage | ≤ 5 business days |
| Status updates | weekly until closed |
| Public disclosure | 90 days after a fix is deployed, or as mutually agreed |
We support coordinated disclosure and offer safe harbor for good-faith research that follows this policy.
Bug bounty
The full program (in-scope contracts, services, domains, and reward tiers) is defined in BUG_BOUNTY.md
at the repository root. During the testnet phase, rewards are paid in test MO (no monetary value).
| Severity | Reward (test MO) | Examples |
|---|---|---|
| Critical | 100,000 | Bridge fund loss; mint/unlock without a valid source event; validator key compromise |
| High | 20,000 | Privilege escalation; multisig/timelock bypass; DEX router fund drain |
| Medium | 5,000 | Permanent DoS of a specific service; auth bypass without direct fund loss |
| Low | 1,000 | Reflected XSS; rate-limit bypass; sensitive info leak |
Out of scope: upstream software (BSC/geth, Uniswap, OpenZeppelin, Cloudflare, Caddy, Docker, Node.js), simple volumetric DoS, testnet-only reset issues, social engineering, and physical attacks.
Audit readiness
The graduation package includes:
- Source + deployment scripts + build metadata for reproducible verification.
- Contract source verified on the explorer (Read/Write Contract panels available).
- Test coverage reports (
forge coverage). - Synthetic monitoring + alerting for chain, bridge, and DEX health.
Hardening roadmap (testnet → mainnet)
| Area | Testnet | Mainnet target |
|---|---|---|
| Bridge relayer | 1-of-1 demo | N-of-M multisig + HSM |
| Ownership | EOA / dev Safe | 3-of-5 Safe + 48h Timelock |
| ENS root | deployer-owned | multisig + timelock |
| Price oracle | mock | Chainlink-style feed |
Hall of Fame
Researchers who responsibly disclosed valid vulnerabilities are credited here (opt-in).
This section is referenced by the Acknowledgments field in security.txt.
(To be populated.)