Security is a top priority for Socket Inc, the company behind Wormhole. Socket believes that working with security researchers is crucial in making the web safer.
If you believe you've found a security issues in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly. Thanks in advance!
This is approximately how much we expect to pay for reports. Understand that this is a guide – it's meant to help set expectations.
If you believe you've discovered a potential security issue, please let us know by emailing us at [email protected] We will acknowledge your email within five business days. Please only use this address to report security flaws and not for general product support.
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
If you would like to send us an encrypted report, email us with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it on this page.
We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.
The following are explicitly in scope for this program:
wormhole.appand all its subdomains
socket.devand all its subdomains
While researching, we'd like you to refrain from:
Thank you for helping to keep our users safe!
We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://wormhole.app/security/disclosure.
Last updated: 2021-04-15