Security & Responsible Disclosure
HashClue interacts with smart contracts, cryptographic mechanisms, and on-chain state. Independent security research conducted in good faith is welcomed. If you believe you have found a vulnerability in the contracts, web interface, API layer, or supporting infrastructure, report it through the process below.
Coordinated Disclosure
HashClue follows a private coordinated disclosure model. When a vulnerability is reported the team will work with the researcher to understand the issue, assess severity, and develop a fix before any public disclosure. The goal is to resolve issues quietly and effectively.
Researchers who report vulnerabilities can expect acknowledgment of receipt, reasonable communication during remediation, and credit if desired once the issue is resolved.
DISCLOSE (privately) v PATCH v DISCLOSE (publicly)
[ observe -> report -> fix ]
-- map the surface -- -- report the fault --
Expectations for Researchers
If you choose to investigate HashClue's security the following apply.
- Act in good faith. Research should aim to identify and report vulnerabilities, not to exploit them or cause harm.
- Do not access user data. Do not attempt to access, modify, or exfiltrate data belonging to other users. If you encounter such data inadvertently, do not retain or distribute it.
- Do not disrupt the system. Avoid actions that could degrade availability, corrupt state, or interfere with normal operation of the protocol.
- Do not interact with live round state. Security research must not involve submitting guesses, unlocking clues, or any transaction that affects the active round's pot, state, or progression. Use a local fork or read-only methods.
- Do not disclose publicly before resolution. Allow reasonable time for assessment and remediation before making details public. Coordinate timing with the team. If no agreement is reached within 90 days of acknowledgment, you may disclose at your discretion.
- Provide sufficient detail. Reports should include enough information to reproduce and verify the issue.
Safe Harbour
Security research conducted in accordance with this policy is explicitly authorised. We will not pursue civil action or refer for criminal prosecution any researcher who acts within this scope and in good faith.
Activity outside this scope is unauthorised and may be met with proactive response.
This safe harbour applies to the HashClue protocol and infrastructure only. It does not extend to third-party services, and it does not override applicable law. If at any point you are uncertain whether your research falls within scope, ask before acting.
Bug Bounty Programme
HashClue operates a limited bug bounty programme. Rewards are paid from operational funds and are not drawn from the prize pot.
Severity & Rewards
Critical — 0.5 – 2 ETH Direct loss or theft of pot funds. Bypass of hash verification. Unauthorised payout release. Manipulation of round state by non-Cartographer.
High — 0.1 – 0.5 ETH Permanent denial of service against the contract (beyond known Cartographer-loss risk). Griefing that blocks legitimate winners. Clue content leakage before unlock.
Medium — 0.02 – 0.1 ETH Web application flaws leaking server-side state, encrypted clue plaintext, or credentials. API bypass of pricing logic. Indexer manipulation producing incorrect trusted display state.
Low — up to 0.02 ETH or acknowledgment Information disclosure that marginally reduces search space. UI bugs that misrepresent round state. Feed integrity issues.
Ranges, not guarantees. Final amount reflects exploitability, impact, and report quality. Payments are made within 90 days of the fix being deployed, not on report or acknowledgment.
Total bounty payments are subject to an annual aggregate cap of 5 ETH. If the cap is reached, the programme may be suspended or payments deferred.
In Scope
- The deployed
HashClueRoundcontract (verified source) - The web application at hashclue.com (all routes and API endpoints)
- Server-side secret handling and clue encryption paths
- Event indexer logic
- Infrastructure configuration (DNS, TLS, headers)
Out of Scope
- Protocol design, economics, game mechanics, and trust model (these are intentional and documented)
- The Cartographer trust assumption (Threat Model §2, Constitution)
- Physical-layer attacks: cache tampering, surveillance, social engineering
- Third-party service vulnerabilities (Alchemy, Neon, Cloudflare) unless the flaw is in HashClue's integration
- Brute-force coordinate enumeration (documented, by design)
- Findings requiring the Cartographer's private key
- Volumetric denial of service against infrastructure providers
- Phishing or social engineering of any party
- Theoretical vulnerabilities without a proof of concept or clear reproduction steps
- Findings already documented in the public Threat Model
Programme Rules
- No self-enrichment. Exploiting a vulnerability for competitive advantage or fund extraction disqualifies the report and the reporter.
- One report per finding. Splitting a single issue across multiple reports, or submitting under multiple identities, will be treated as one submission.
- No public disclosure before resolution. Reports disclosed before the agreed timeline are ineligible. The 90-day disclosure right (above) applies.
- Proof of concept required for High and Critical severity claims.
- No scanner noise. Bulk automated output without analysis is not a valid report.
- First reporter wins. Duplicate reports receive no payment. Priority is determined by receipt timestamp.
- Payments are discretionary. The Cartographer reserves the right to adjust or withhold payment for reports that are materially incomplete, duplicative, or submitted in bad faith.
Wall of Fame
Researchers whose reports lead to confirmed fixes will be credited on the HashClue Wall of Fame, unless they prefer to remain anonymous. Inclusion is at the researcher's discretion and requires only a name or handle.
The Wall of Fame is forthcoming.
Contact
All security reports should be sent to security@hashclue.io.
Include a clear description of the vulnerability, steps to reproduce, and any supporting materials. Do not use this address for general enquiries or support.