Responsible Disclosure

Multyr welcomes security researchers who identify vulnerabilities in our code, infrastructure, or processes.

Primary contact

For sensitive reports, a PGP public key and a dedicated disclosure channel will be published when the bug bounty program goes live (Q3 2026 target).

Scope

During the shadow testing phase, the primary scope includes:

Smart contracts published on GitHub
Governance Safes and related configurations (see Governance Addresses)
Websites and documentation (reflected/DOM-based XSS, authentication, access control)

Out of scope

Denial of service attacks requiring large resources
Social engineering attacks against team members
Physical attacks

Safe harbor

Multyr commits to not pursue legal action against researchers who:

Act in good faith
Do not exploit vulnerabilities beyond what is necessary to demonstrate
Do not access or modify user data or funds
Report privately and give reasonable time for remediation before disclosure
Do not engage in extortion

Response timeline

Initial acknowledgment: within 72 hours
Initial assessment: within 7 days
Remediation timeline: case-by-case, communicated after assessment
Public disclosure coordination: before any public disclosure, when possible

Bug bounty

A formal bug bounty program is scheduled to go live concurrent with the first audit report publication, targeted Q3 2026. Platform: Immunefi. Reward tiers will be announced at launch.

Contact channels

security@multyr.fi — primary
GitHub Security Advisories on github.com/Multyr — for code-specific issues

Primary contact​

Scope​

Out of scope​

Safe harbor​

Response timeline​

Bug bounty​

Contact channels​