> For the complete documentation index, see [llms.txt](https://docs.bextree.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bextree.com/security/responsible-disclosure.md).

# Responsible Disclosure

Found a vulnerability? We want to hear about it, and we'll treat you well for telling us.

## How to report

* Email **<support@bextree.com>** with subject line starting `[SECURITY]`.
* Our machine-readable policy: [bextree.com/.well-known/security.txt](https://www.bextree.com/.well-known/security.txt)

Include what you can: affected component (web app, API, on-chain program), reproduction steps, and impact assessment. Proof-of-concept is welcome; live exploitation of other users' funds or data is not.

## What we commit to

* **Acknowledgement within 48 hours**, a substantive assessment within 7 days.
* No legal action against good-faith research that respects the ground rules below.
* Credit (if you want it) once a fix ships.

## Ground rules

* Don't access, modify, or destroy other users' data or funds.
* Don't degrade the service (no DoS, no spam).
* Give us reasonable time to fix before public disclosure — we'll agree on a timeline in the first exchange, and we default to 90 days.

## Scope

* **In scope:** bextree.com, the marketplace API and server actions, wallet-auth flows, and (once deployed publicly) the on-chain programs.
* **Out of scope:** third-party protocols we integrate with (Streamflow, Orca, Raydium, Meteora — report to them directly), and social engineering of Bextree staff.

A paid bug bounty is planned to accompany the mainnet program deployment; until then, rewards are discretionary.
