At ShapeShift, we take security seriously. We encourage independent security researchers to contact us in order to privately report security vulnerabilities or issues. The information on this page is intended for those security researchers that are interested in reporting security vulnerabilities directly to the ShapeShift security team.

Reporting a Vulnerability

If you would like to disclose a vulnerability to ShapeShift, we encourage you to email [email protected] Please include the following information in your email:
  • Your name, nickname, handle, or what you’d like to be called while we communicate with you
  • The date/time you first identified the vulnerability
  • How you identified the vulnerability
  • As much detail about the vulnerability as you can
  • Any additional information you feel may be pertinent

Report Lifecycle

After you make a report, we will work with you to confirm it and assess its impact. Once we've been able to confirm the issue, we'll work to remediate it. We ask that you keep your report confidential for 90 days after you make it, to give us a chance to remediate the issue and protect our users.
After we have fixed the issue -- or after 90 days, whichever comes first -- we will release a summary of the issue you reported and any remediation steps we've taken, and you are free to publish.


If you would like to encrypt your vulnerability report, please use the following GPG key.
Security Workstream GPG Key
Copy link
Edit on GitHub
On this page
Reporting a Vulnerability
Report Lifecycle