The Decred project runs a bug bounty program which is approved by the stakeholders and is funded by the Decred treasury.

Please refer to the bounty website to understand the scope and how to submit a vulnerability.

https://bounty.decred.org/

All bugs must be reproducible in the latest production release or the master branch of the code.