Send files

Responsible Disclosure Policy

Security is a top priority for Socket Inc, the company behind Wormhole. Socket believes that working with security researchers is crucial in making the web safer.

If you believe you've found a security issues in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly. Thanks in advance!

Bounty Schedule

This is approximately how much we expect to pay for reports. Understand that this is a guide – it's meant to help set expectations.

  • $0 — We're aware of this, or we don't really see it as a security issue.
  • $100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.
  • $250 — A minor security problem. It's likely not getting fixed in the next release.
  • $500 — Definitely a real problem that puts users at risk. We will ship a fix in a scheduled release.
  • $1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems – but if we do, we really want to hear about them.

Disclosure Policy

  • If you believe you've discovered a potential security issue, please let us know by emailing us at [email protected]. We will acknowledge your email within five business days. Please only use this address to report security flaws and not for general product support.

  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

  • If you would like to send us an encrypted report, email us with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it on this page.

  • We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.


The following are explicitly in scope for this program:


While researching, we'd like you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Socket employees or contractors
  • Any physical attempts against Socket's physical property or data centers

Thank you for helping to keep our users safe!


We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://wormhole.app/security/disclosure.

Last updated: 2021-04-15

    • Why We Built This
    • FAQ
    • Roadmap
    • Security
    • Legal
    • Twitter
    • Discord
    • Protected by Socket