Responsible Security Disclosure Policy

LAST UPDATED: 10 February 2026

At Supra, our mission is to build a smarter, faster, and more secure blockchain to help advance decentralization at global scale. Protecting the information we collect and use is fundamental to that mission.

To learn more about how we safeguard data across our systems, please refer to the Guide to Security and Compliance at Supra.

Reporting a Security Vulnerability

The Supra Security Team investigates reported security vulnerabilities as quickly as possible. If you believe you have identified a security issue in any Supra application or service, please submit a responsible disclosure report to: [email protected]

When submitting a report, please follow the requirements outlined in this policy, including the optional use of our PGP key to encrypt your disclosure.

We ask that you do not publicly disclose any details about a potential vulnerability or its existence until it has been reviewed and resolved by Supra. In most cases, remediation is completed within 30 days.

Guidelines for Security Testing

When researching potential vulnerabilities, please use good judgment. You are interacting with a live production environment. The following activities are not permitted:

Automated scanning, fuzzing, or large-scale testing
(D)DoS or load testing of any kind
Any activity that violates applicable laws or regulations

Rewards

Details for Supra’s official bug bounty program can be found here: https://supra.com/bug-bounty

Security Bug Reporting Process

A typical responsible disclosure follows this flow:

A researcher identifies a potential security vulnerability.
The researcher submits a report containing the required details via email.
The Supra Security Team reviews and validates the report and responds with confirmation or follow-up questions. We typically reply within 24 hours.
Once the issue has been resolved, the researcher is notified.

If you believe you have identified a vulnerability specifically related to Supra Identity Services, please report it to [email protected] in accordance with this policy.

Which Reports We Review

All submissions are reviewed by the Supra Security Team. However, not all reports will qualify.
We do not accept:

Reports based solely on automated scanners or tool output
Theoretical attack scenarios without a working proof of concept
Issues that require excessive or highly unrealistic user interaction

Additionally, the following vulnerability classes are considered out of scope:

Missing security headers
Missing cookie attributes
Social engineering attacks (e.g. phishing, self-XSS)
(D)DoS vulnerabilities
Email spoofing
Username or email enumeration
Banner, version, or internal IP disclosure
Physical security testing

What to Include in Your Report

To help us verify and resolve issues quickly, please include the following information in your disclosure:

Email subject: Clearly indicate a security report Example: [Security Bug Report for Supra.com]
Contact details: Your preferred method of communication and PGP key (if applicable). We will reply to the sender’s email address by default.
Vulnerability type: For example, XSS, CSRF, SQL injection, RCE.
Affected systems: Relevant services, endpoints, IPs, FQDNs, or deep links.
Supporting details: Screenshots, screen recordings, request/response logs, or proof-of-concept exploits. Please do not share files larger than 15MB via unauthenticated file-sharing services. Contact us first to arrange a secure transfer.
Discovery timestamp: Date and time the issue was identified.
Optional: The testing timeframe and source IP addresses used. This helps improve our detection and logging systems.

Questions

If you have questions about this policy or any general security-related concerns, feel free to contact us at
[email protected]

Get news, insights, and more

Privacy • Terms of Use • Website Data Usage & Cookies • Bug Disclosure • Biometric Information Privacy Policy