The Khalani team takes security seriously and appreciate your efforts to responsibly report your findings. We will do everything we can to ensure you are properly rewarded for your contributions.
To report a security issue, please email security[at]tunnelvisionlabs.xyz. The subject header should look like the following "Bug Report: [Severity Level] [descriptive name]".
Severity Level must be one of:
- Low
- Moderate
- High
- Critical
The Khalani team will review and respond within 48 hours.
In order to be eligible for a bug or security bounty, you must follow the below guidelines.
The Khalani team will perform an internal audit to ensure these guidelines were followed prior to distributing a bounty:
- If you gain write-access to any of Khalani's systems, you must avoid performing unauthorized actions in the system. You should do only the bare minimum required to verify that the bug exists.
- If you cannot verify a bug without interacting with our systems, you must refrain from performing the interaction, and instead report your suspicion via the instructions detailed in this document.
- Khalani is obligated to follow all laws and regulations related to bounty distributions, including basic KYC. We will work with you and our legal team to quickly and efficiently perform KYC so that we can distribute your rightfully-earned bounty to you.
- Bounty payout amounts are determined on a case-by-case basis. We aim to be fair and structure payouts per standard market rates for each severity level. Khalani will fairly assess the severity of the bug to determine if the reported severity and actual severity match. If they do not match, Khalani will provide a thoughtful explanation as to the re-assessment of the severity level.
- Threats, attempted exploitation or adversarial behavior will revoke any possibility of bounty.
Report security bugs in third-party modules to the person or team maintaining the module. You can also report a vulnerability through the npm contact form by selecting "I'm reporting a security vulnerability".