Security & Disclosure.

The disclosure program covers findings against the production Blue Escrow smart contract on Arbitrum One, the public frontend at the escrow.blue domain, and the public read-only API that backs it. Items that are out of scope listed below do not qualify for recognition or reward.

Severity drives the response timeline, the reward band, and the public disclosure clock. We use a five-tier scale; the assigned tier accounts for both the maximum theoretical impact and the realistic exploitability under production constraints.

CriticalDirect loss of user funds, contract takeover, permanent denial of release/refund, or unauthorized minting.

HighLoss of funds requiring specific pre-conditions, manipulation of reputation scoring, or backend bypass enabling reads of off-chain personal data.

MediumAuthenticated info leak, parameter griefing that wastes user gas, or denial of a non-critical UI surface.

LowMinor information disclosure, missing security headers, or UX flaws that increase the chance of user error without direct impact.

InfoHardening recommendations, code-quality findings, and dependency hygiene that do not present a direct exposure.

1. Send your report to the address above, optionally PGP-encrypted with the key in section §05.
2. Wait for an acknowledgement before public discussion — Safe Harbor only applies while disclosure is coordinated.
3. Work with the coordination contact to validate impact and agree on remediation.
4. A patch is deployed (contract upgrade or frontend patch) before public disclosure where feasible.
5. A coordinated advisory and reward are published; you choose whether to be credited or remain anonymous.

Researchers acting in good faith, within the scope above, and following the disclosure process receive Safe Harbor: we will not pursue legal action, will support requests for Safe Harbor with third parties whose infrastructure the research traversed, and will treat the research as authorized for the purposes of any applicable computer-misuse laws.

For sensitive reports, encrypt to the public key below. The fingerprint is published here, on the security.txt file at the root of the production site, and in the protocol's public repository.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BlueEscrow Security 2026

[Placeholder — full ASCII-armored block published with the final security policy]

-----END PGP PUBLIC KEY BLOCK-----

Fingerprint: 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

Rewards are paid in USDC on Arbitrum after a fix lands. The final amount within a band depends on quality of write-up, exploitability, and severity multipliers (loss of funds always reaches the upper bound for its tier).

The Escrow contract is in pre-audit hardening. A full external audit is scheduled before mainnet promotion; the report will be published in full on completion.

No findings have been credited yet. Researchers whose reports lead to a fix and who choose public credit will be listed in this section, ordered by date of acknowledgement.

The list below complements the high-level scope in §01 with specific examples that frequently come up but do not qualify under this program.

• Theoretical attacks without a proof of concept.
• Self-XSS or attacks that require user paste into devtools.
• Cross-site request forgery on endpoints with no state change.
• Missing best-practice headers without a demonstrated exploit (HSTS preload, CSP refinements without bypass).
• Reports from automated scanners without a manual verification step.
• Issues that depend on social engineering of operators or middlemen.

All security correspondence — reports, follow-ups, scope questions — goes to the address below. Use the PGP key from §05 for sensitive details. We do not accept reports via social media DMs or unencrypted chat.

[email protected]
PGP fingerprint: 0000 0000 0000 0000 0000 0000 0000 0000