Security
Responsible disclosure, PG[Σ] by default.
If you've found a vulnerability in the L3RS-1 reference implementation, the Flow router, or any T3RRA-operated infrastructure, we want to hear from you.
PGP fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Scope
In scope.
L3RS-1 reference implementation
On the eight launch chains: Ethereum, Base, Arbitrum, Polygon, Avalanche, Solana, Stellar, Polkadot.
Flow cross-chain router
Bridge committee attestation and route certificate generation.
T3RRA web properties
t3rra.co and all subdomains operated by T3RRA.
Out of scope.
- Third-party chains themselves.
- Social engineering of T3RRA personnel or partners.
- Denial-of-service without a working proof of exploitable impact.
- Findings already documented in a published audit report.
Our Commitments
What you can expect.
Triaged within 2 business days.
You get a human response, not an auto-ack.
Credit where credit is due.
Researchers are acknowledged on this page (opt-in).
No legal action against good-faith research.
Safe harbor language below.
Safe harbor
T3RRA will not pursue civil or criminal action against researchers who act in good faith, stay within the scope above, avoid privacy violations and service degradation, and give us a reasonable window to remediate before public disclosure.
Hall of Thanks
Researchers who helped.
We'll list researchers here as disclosures are resolved. Be the first.
This policy will be formalized in a dedicated security.txt and VDP document ahead of public issuance.
