Jump to:ContactScopeRulesSeverityRewardsHow to Report

Responsible Disclosure Policy

Last updated: Version: 1.0

PRC Wallet is a non-custodial wallet. We take security seriously and welcome good-faith reports from researchers. This page explains how to report, what's in scope, and the legal safe-harbor we provide to protect responsible research.

90-day coordinated disclosure by default; accelerated timelines possible for active exploitation.

Quick Reference (TL;DR)

  • • Email [email protected] (use PGP)
  • • Acknowledge 24h, triage 72h, updates weekly
  • • 90-day coordinated disclosure
  • • Scope: wallet.prc.network, api.prc.network, prc.network, official apps/bots
  • • No DoS, no user-data access, no funds movement
  • • Recognition now, bounties planned

Contact & Encryption

Primary security contact:

[email protected]

PGP public key (for encrypted reports):

Fingerprint: F3A1 9B7C 2D8E 4C5A 7F01 9AA2 1C3D 4E5F 6071 8AB9

Key ID: 0x60718AB9

Key block:

-----BEGIN PGP PUBLIC KEY BLOCK-----
[PASTE YOUR PUBLIC KEY HERE]
-----END PGP PUBLIC KEY BLOCK-----

security.txt:

We publish our security contact and policy at https://prc.network/.well-known/security.txt

Service levels (SLAs):

Acknowledge receipt:
within 24 hours
Initial triage:
within 72 hours
Status updates:
every 7 days until resolution
Coordinated disclosure window:
90 days from acknowledgment

Legal Entity & Safe Harbor

Legal entity: PRC Network, LLC

Jurisdiction of incorporation: United States, Delaware

Safe Harbor (good-faith research):

If you comply with this policy, PRC commits not to initiate civil or criminal action, and not to pursue DMCA/anti-circumvention claims, CFAA-type claims, or similar, against you. We consider research under this policy to be authorized and in good faith.

This safe harbor applies to:

  • • Unauthorized access that is strictly necessary to prove a vulnerability
  • • Non-destructive testing
  • • Research avoiding privacy violations and service disruption

Conditions:

  • • Stop testing and notify us immediately upon finding user-data access paths, key-material exposure, or a path to unauthorized transactions
  • • Do not access, modify, or exfiltrate data beyond the minimum needed to demonstrate impact
  • • No extortion or threats. Bounties/thanks are independent of disclosure

Note: This policy does not bind third parties (cloud/infra providers, partners). We will help coordinate where possible.

Scope

In-scope assets (production):

  • wallet.prc.network — Web wallet UI and client-side logic
  • api.prc.network — Public APIs and backend services owned by PRC
  • prc.network — Main site, downloads, and security pages
  • /download — hashes & PGP
  • • Mobile apps (iOS/Android) — when publicly released by PRC
  • • Official GitHub repos — code maintained by PRC (public)
  • • Telegram companion/bot — official PRC bot (no keys stored)

Strongly encouraged test targets:

  • • Testnets for EVM/Vite where possible (use faucets)
  • • Non-production environments we explicitly share with you

Out of scope:

  • • Third-party services and vendors unless PRC-controlled misconfiguration is root cause
  • • Social engineering (phishing emails/DMs to users, PRC staff, vendors)
  • • Physical security of PRC offices, data centers, or staff devices
  • • Denial of Service (DoS/DDoS, volumetric traffic, resource exhaustion)
  • • Spam or automated account creation at scale
  • • Low-risk issues without meaningful security impact
  • • Rate-limit/CSRF on non-state-changing endpoints
  • • Missing SPF/DMARC on non-sending domains

Rules of Engagement

Critical Rules:

No harm:

Do not impact availability or integrity of services.

No funds at risk:

Never move or attempt to move real user funds. Use testnets; if mainnet is unavoidable, use dust-value only and your own accounts.

Minimal data handling:

If you encounter user data, stop, minimize access, and report immediately. Do not store, transmit, or share data.

Privacy:

No scraping or mass enumeration of user data.

Severity & Prioritization

We use CVSS v3.1 as guidance plus product context (keys, transactions, privacy):

Critical9.0–10.0

Remote code execution; signature forgery; unauthorized transaction/bypass of signing; extraction of private keys/seed/passphrase; auth bypass leading to key operations; supply-chain compromise of download/updates.

High7.0–8.9

Privilege escalation; SSRF to sensitive internal services; stored XSS enabling transaction tampering; CSRF leading to unauthorized signing; sensitive info disclosure.

Medium4.0–6.9

Stored/DOM XSS requiring user action but enabling account impact; open redirect with realistic exploit chain; weaknesses in crypto usage without practical exploit.

Low0.1–3.9

Clickjacking on non-sensitive pages; missing security headers; minor info leaks without impact.

Rewards

Current Status:

Launch phase: Recognition-only (Hall of Fame + thank-you + optional swag)

Planned bounty program: Monetary rewards to be announced after initial audits

Target ranges (subject to change):

Critical
up to $[5,000–10,000]
High
up to $[2,000–5,000]
Medium
up to $[250–1,000]
Low
up to $[100–250]

Rewards are based on impact, quality of report, and uniqueness (first valid report gets it).

How to Report

Please email [email protected] (PGP-encrypted preferred).

Use the subject: [VULN] <short title> — <asset>

Include (required):

  • Summary: One-paragraph impact description
  • Asset & version: e.g., wallet.prc.network (web build commit), api.prc.network (version), app version/OS
  • Severity (your estimate): CVSS vector if possible
  • Reproduction steps: Numbered, from a fresh install/account
  • Proof of concept: Code, payloads, screenshots, or a short video
  • Scope of impact: What an attacker can achieve; preconditions
  • Mitigation ideas: Optional but helpful
  • Researcher details: Name/alias, contact, Hall of Fame preference, payout wallet (for future bounties)

Please avoid sending: real user data, private keys, or seeds. Redact sensitive info.

Prohibited Activities

  • • DoS/DDoS or traffic floods
  • • Data destruction or tampering
  • • Accessing others' accounts or funds
  • • Extortion or threats
  • • Public disclosure prior to coordination timeline without our consent

Hall of Fame

We maintain a Security Hall of Fame recognizing researchers who help secure PRC. Entries include name/alias, link (optional), severity, and advisory link.

URL: /security/hall-of-fame

Audits & Testing History

We publish third-party security assessments and pen-test summaries at /security/audits with dates, scope, and resolved findings.

Current status: [To be published / In progress with <Firm Name> / Completed on <Date>]

Media Inquiries

[email protected]

Changes to This Policy

We may update this policy. Material changes will be dated and versioned here. Continued research after changes constitutes acceptance of the updated terms.