Proofra
Responsible disclosure

Security

Proofra is prelaunch infrastructure. If you find a vulnerability in the code, the protocol design, or this site, we want to hear about it.

How to report

Email [email protected] with enough detail to reproduce the issue. This is the preferred contact.

A machine-readable policy is published at /.well-known/security.txt per RFC 9116. Once public source repositories are live, a SECURITY.md and private vulnerability reporting will be available on GitHub.

Please give us a reasonable window to investigate and fix before any public disclosure. We will acknowledge reports and keep you updated on remediation.

Scope

During prelaunch, the most relevant areas are:

  • This website (proofra.org) and its configuration.
  • Consensus and protocol design issues that would undermine fair-launch guarantees or the planned work-backed finality model.
  • Public repositories, signed releases, checksums, and genesis data — once they are published.

There is no mainnet, no token, and no funds at risk yet. Reports about fake “Proofra” tokens, presales, or airdrops are not security issues but impersonation — see official links.

Guidelines

  • Test only against your own infrastructure or this public site; do not disrupt other users.
  • No social engineering, spam, or physical attacks.
  • Do not access, modify, or destroy data that is not yours.
  • Share findings privately first; act in good faith and we will too.

Encryption

Encrypted reporting is planned but not set up yet — it is not a priority while nothing is in active use. If you have a sensitive report that genuinely needs encryption, email us first and we will set up a PGP key as soon as possible.

This is a prelaunch policy. It will be expanded with formal scope, severities, and (where appropriate) a bug-bounty program before a public testnet or mainnet.