Avalanche takes the security of the platform and of its users very seriously. We and our community recognize the critical role of external security researchers and developers and welcome responsible disclosures. Valid reports will be eligible for a reward (terms and conditions apply).

Please do not file a public ticket mentioning the vulnerability. To disclose a vulnerability submit it through our Bug Bounty Program.

Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts, or loss of funds that are not your own. We do not reward spam or social engineering vulnerabilities.

Do not test for or validate any security issues in the live Avalanche networks (Mainnet and Fuji testnet), confirm all exploits in a local private testnet.

Please refer to the Bug Bounty Page for the most up-to-date program rules and scope.

Please use the most recently released version to perform testing and to validate security issues.