Reliefpay
§ Security · Responsible disclosure · v0.1

Report it. In good faith.

ReliefPay is early-stage infrastructure that moves money for people in crisis. If you find a vulnerability, we want to hear from you before anyone else does.

01 — Scope

What’s in scope.

In scope
  • The web application at reliefpay.org and its sub-routes.
  • The Redemption and MerchantRegistry smart contracts deployed on Sepolia testnet (addresses on the commitments page; mainnet-equivalents when deployed).
  • Client-side cryptographic operations: signature generation, QR payload encoding, and verification logic.
  • The authentication and wallet-derivation flow used by recipient and operator wallets.
Out of scope
  • Vulnerabilities in upstream dependencies (thirdweb, Supabase, Vercel, the underlying blockchain node infrastructure). Please report those to the relevant vendor directly.
  • Denial-of-service attacks requiring sustained traffic or brute force.
  • Social engineering attacks against staff.
  • Physical attacks or attacks requiring physical access to a device.
  • Reports generated solely by automated scanners without a working proof of concept.
02 — How to report

Tell us about it.

Contact

Write to hello@reliefpay.org. Encrypt with our PGP key if the finding is particularly sensitive (key fingerprint and full key available on request).

What to include
  • A clear description of the vulnerability.
  • Steps to reproduce, including any required request payloads, account states, or specific timing.
  • An assessment of the impact: what could an attacker achieve?
  • Any proof-of-concept code, screenshots, or transaction hashes.
What we ask
  • Give us reasonable time to respond and fix before public disclosure. A standard 90-day window is appropriate for most findings; critical issues may justify a shorter window coordinated with us.
  • Do not access, modify, or exfiltrate data that is not your own.
  • Do not execute denial-of-service, social engineering, or physical attacks.
  • Keep the finding confidential until a fix is deployed.
03 — Our commitments

What we will do.

If you report in good faith and within the terms above, we will:

  • Acknowledge receipt within 72 hours.
  • Provide a substantive triage response within 7 days, including our assessment of severity and expected timeline.
  • Keep you informed of progress through to remediation.
  • Not pursue legal action, including under computer misuse or similar statutes, against researchers acting in good faith and within this policy.
  • Publicly credit you in our release notes, if you wish.
  • Report substantive findings and their fixes in a public advisory, coordinated with you, once remediation is complete.

We are currently pre-revenue and cannot offer paid bug bounties. We are working on a bounty programme for the mainnet launch; until then, public credit and the real gratitude of a team that benefits from your work is the best we can offer.

04 — Machine-readable

security.txt

A machine-readable version of this policy, in the format specified by RFC 9116, is served at:

https://reliefpay.org/.well-known/security.txt

Automated security researchers and scanners should use that endpoint as the canonical source of contact information.

Document · Security v0.1 · Last revised 21 April 2026
← Return to reliefpay.org