Vulnerability disclosure

1. How to report

Email security@upswap.io. Suggested subject format: [Vulnerability] <one-line summary>.

Please include in the email:

• Vulnerability type (XSS / CSRF / SQL injection / SSRF / business logic / information disclosure / cryptographic flaw / other)
• Impact scope (user wallets / user data / service availability / trade secret leakage)
• Reproduction steps (as detailed as possible, with URLs / payloads / screenshots)
• Suggested remediation (optional)
• Your contact details and PGP public key (if any)

2. Scope

The following assets are in scope:

• https://upswap.io main site (including all sub-paths)
• All /api/* endpoints
• Cloudflare Worker business logic (HMAC / nonce / KV storage)
• Trade secret protections (any vulnerability that allows the client or public APIs to reveal the identity of an upstream vendor)
• JurisdictionModal / cookie / localStorage handling

The following are out of scope:

• Vulnerabilities in user wallets themselves (MetaMask / Phantom, etc.)
• Contracts of upstream liquidity vendors (the routing networks we integrate) — please disclose to them directly
• Cloudflare infrastructure vulnerabilities — please disclose via Cloudflare HackerOne
• Phishing sites / social engineering — report to security@upswap.io and we will assist with takedowns
• Rate limit bypasses — in scope only when you can demonstrate actual harm (fee bypass / DoS)
• Known issues (low-grade findings from automated scanners, behavior not explicitly prohibited by this document)

3. Testing rules

• Do not interfere with, view, or modify real user orders
• Do not run DoS / DDoS / traffic-flood tests
• Do not exploit undisclosed 0days in production
• Test only with your own funds / test addresses, in small amounts (< $10 equivalent)
• Once a vulnerability is found, stop exploiting immediately and submit a report; do not use it for any other purpose
• Do not disclose publicly without written authorization (we commit to fixing within 90 days, or negotiating an extension)

4. Response timelines

• Within 24 hours: acknowledge receipt of the report
• Within 72 hours: initial assessment (confirmed / out of scope / more information needed)
• Within 7 days: initial mitigation for critical / high vulnerabilities
• Within 90 days: full fix and public disclosure (subject to mutual agreement)

5. Recognition

For researchers who disclose responsibly, we offer the following recognition:

• Hall of Fame: a thank-you entry added to this page
• Swag: UpSwap merchandise (stickers)

6. Severity classification

Per CVSS v3.1:

• Critical (CVSS 9.0-10.0): user fund loss / private key leakage / full RCE / large-scale trade secret leakage
• High (CVSS 7.0-8.9): unauthorized access to user data / OFAC sanctions screening bypass / quote system manipulation
• Medium (CVSS 4.0-6.9): limited information disclosure / XSS on non-critical paths / business logic flaws
• Low (CVSS 0.1-3.9): missing configuration hardening / low-impact information disclosure

7. Legal safe harbor

We commit to taking no legal action against responsible disclosure, provided that:

• You follow all testing rules on this page
• You access only data you created yourself or data that is public
• You do not publicly disclose vulnerability details until mutually agreed
• You do not demand a ransom

This safe harbor does not affect third-party rights; if your testing impacts other users or upstream vendors, we will not be able to protect you.

8. Hall of Fame

Thanks to the following researchers for making UpSwap safer:

• None yet — we hope you will be the first :)

9. Contact

All security matters: security@upswap.io

General support and urgent fund issues: support@upswap.io (this mailbox is not suitable for disclosing unfixed vulnerabilities)