Contact: [email protected]

At Reclaim Protocol, we prioritize the security of our systems. However, we acknowledge that vulnerabilities may still exist despite our best efforts. We appreciate your help in identifying and reporting these vulnerabilities so we can address them promptly.

We do not consider the following to be in-scope vulnerabilities:

• Clickjacking on non-sensitive pages
• CSRF on authentication-related actions
• Attacks requiring man-in-the-middle or physical device access
• Denial of Service (DoS) attempts
• Content spoofing or text injection without demonstrable risk
• Email spoofing
• Missing security headers (DNSSEC, CAA, CSP)
• Non-secure flags on non-sensitive cookies
• Broken links

When reporting a vulnerability, please:

1. Email your findings to [email protected]
2. Avoid using automated scanners on our infrastructure or dashboard without prior permission
3. Refrain from exploiting the vulnerability beyond what's necessary to demonstrate it
4. Keep the issue confidential until it's resolved
5. Do not attempt physical security breaches, social engineering, DDoS, spam, or attacks on third-party applications
6. Provide sufficient details to reproduce the issue (typically, the affected IP/URL and a vulnerability description)

In response to your report, we will:

1. Acknowledge receipt within 3-5 business days, including our assessment and expected resolution timeline
2. Not pursue legal action if you've adhered to these guidelines
3. Maintain strict confidentiality and protect your personal information
4. Keep you updated on our progress
5. Publicly credit you as the discoverer (unless you prefer otherwise)
6. Strive for swift resolution and collaborate with you on the final disclosure

We value your contribution to improving our security and look forward to working together to resolve any identified issues.