Bug bounty and responsible disclosure
If you find a security vulnerability in Pool Party, we want to hear about it privately so we can fix it before it can be abused. This page explains what is in scope, how to report, and the current status of a formal bounty program.
Program status
A formal, hosted bug bounty program (for example on Immunefi or HackerOne) with published reward tiers is not live yet. We will list the platform, scope, and reward tiers here when it launches. In the meantime, we operate responsible disclosure: report privately through the channels below and we will respond.
In scope
- Smart contracts deployed by Pool Party on Base (once addresses are published on the security page).
- The web app at app.pool-party.xyz and this marketing site.
- Issues that could lead to loss of user funds, unauthorized access, or data exposure.
Out of scope
- Reports from automated scanners without a working proof of concept.
- Social engineering, phishing, or physical attacks against staff or users.
- Denial of service, spam, and best-practice suggestions without a concrete impact.
How to report
Report privately, with enough detail to reproduce (affected component, steps, and a proof of concept where possible). Reach the team through GitHub (private security advisory) or the moderators in our Discord. Please give us reasonable time to investigate and fix before any public disclosure.
Our commitment
We will acknowledge your report, keep you updated while we investigate, and credit you if you would like once the issue is resolved. We will not pursue legal action against good-faith researchers who follow this process and avoid privacy violations and service disruption.
See the security overview for how Pool Party approaches security and how to verify contracts on BaseScan.