Vulnerability Disclosure Policy

Last updated March 15, 2023

Bluefin is committed to ensuring the security of the public by protecting their information. This policy intends to explain our preferences for how security researchers should submit vulnerabilities identified by us, as well as to provide them with clear standards for completing vulnerability discovery activities.


This policy outlines the systems and categories of research that fall within its scope and how to disclose vulnerabilities to us.


Please get in touch with us if you discover any potential system flaws.

Guidelines

In accordance with this policy, "research" refers to activities in which you:

  • Inform us as soon as you find a genuine or potential security problem.
  • Make every attempt to avoid privacy violations, loss of user experience, disruption to production systems, and destruction or modification of data.
  • Use exploits only as much as necessary to verify a vulnerability is present. You shouldn't use an exploit to compromise or steal data, gain ongoing command-line access, or switch to another machine.
  • Use the identified communication channels to report vulnerability information to us.
  • Avoid submitting a lot of reports of poor quality.

You must halt your test, let us know right away, and keep this information to yourself if you've found a vulnerability or come across sensitive data (such as personally identifiable information, financial information, or intellectual information or trade secrets of any party).

Test methods

The following test methods are not authorized:

  • DoS or DDoS tests on networks or other tests that restrict access to or harm systems or data.
  • Physical testing, social engineering, or any other non-technical vulnerability testing, such as tailgating, workplace access, open doors, or phishing.

Scope

Any vulnerability not previously disclosed by us or our independent auditors in their reports.

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our contracts or platforms, send it to us by emailing [email protected]. Please include the following details with your report:

  • A description of the location and potential impact of the vulnerability.
  • A detailed description of the steps required to reproduce the vulnerability.
  • Be in English, if possible.

What you can expect from us

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your findings.
  • We will acknowledge that your report has been received within 3 business days.
  • We will maintain an open dialogue with you to understand and resolve the issue quickly.

Questions

Questions regarding this policy may be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.

Important Disclosures:

i) The platform is not available to United States residents
ii) All assets on Bluefin involve a degree of risk and may result in partial or total loss of your investment
iii) Sub-second settlement does not incorporate network latency or congestion

Bluefin is an orderbook-based derivatives exchange using the most innovative decentralized infrastructure to support first-time users and professional traders. Please view our terms of use and privacy policy before accessing the platform.