We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

Email: hello@cascade.fyi

Subject line: [SECURITY] Brief description

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

• Initial response: Within 48 hours
• Status update: Within 7 days
• Resolution target: Within 30 days (depending on severity)

• Cascade Splits on-chain program (SPL1T3rERcu6P6dyBiG7K8LUr21CssZqDAszwANzNMB)
• SDK package (@cascade-fyi/splits-sdk)
• Smart contract logic vulnerabilities
• Token handling and distribution bugs
• Access control issues
• Arithmetic errors

• Frontend/UI issues (unless they lead to contract exploitation)
• Social engineering attacks
• Denial of service attacks
• Issues in third-party dependencies (report to respective maintainers)
• Already known issues

We will not pursue legal action against security researchers who:

• Make a good faith effort to avoid privacy violations, data destruction, or service interruption
• Only interact with accounts they own or have explicit permission to test
• Do not exploit vulnerabilities beyond what is necessary to demonstrate them
• Report findings promptly and allow reasonable time for remediation before disclosure

We currently do not have a formal bug bounty program. However, we recognize and appreciate security researchers who help improve our protocol. Significant findings may be rewarded at our discretion.

• We request 90 days to address reported vulnerabilities before public disclosure
• We will coordinate with reporters on disclosure timing
• We will credit reporters (unless they prefer anonymity) in any public disclosure

• Security issues: hello@cascade.fyi
• General inquiries: https://github.com/cascade-protocol/splits/issues