Security

At ShapeShift, we take security seriously. We encourage independent security researchers to contact us in order to privately report security vulnerabilities or issues. The information on this page is intended for those security researchers that are interested in reporting security vulnerabilities directly to the ShapeShift security team.
Reporting a Vulnerability
If you would like to disclose a vulnerability to ShapeShift, we encourage you to email [email protected] Please include the following information in your email:
Your name, nickname, handle, or what you’d like to be called while we communicate with you
The date/time you first identified the vulnerability
How you identified the vulnerability
As much detail about the vulnerability as you can
Any additional information you feel may be pertinent
Report Lifecycle
After you make a report, we will work with you to confirm it and assess its impact. Once we've been able to confirm the issue, we'll work to remediate it. We ask that you keep your report confidential for 90 days after you make it, to give us a chance to remediate the issue and protect our users.
After we have fixed the issue -- or after 90 days, whichever comes first -- we will release a summary of the issue you reported and any remediation steps we've taken, and you are free to publish.
COMSEC
If you would like to encrypt your vulnerability report, please use the following GPG key.
Security Workstream GPG Key

General Information - Previous

Branching

Next - Yieldies

Overview

Last modified 6mo ago

Copy link

Edit on GitHub

On this page

Reporting a Vulnerability

Report Lifecycle

COMSEC