Avalanche takes the security of the platform and of its users very seriously. We and our community recognize the critical role of external security researchers and developers and welcome responsible disclosures.
Please do not file a public GitHub issue for any security vulnerability in interchain-kit or in the Avalanche components it exercises (ICM, ICTT, validator manager, icm-relayer, signature aggregator).
Disclose vulnerabilities privately through one of the following channels:
- The Avalanche Bug Bounty Program on Immunefi — valid reports may be eligible for a reward (terms and conditions apply).
- Email security@avalabs.org if the issue is out of Immunefi scope.
Vulnerabilities must be disclosed privately with reasonable time to respond, and must avoid compromise of other users and accounts, or loss of funds that are not your own. We do not reward spam or social engineering vulnerabilities.
Do not test for or validate any security issues against the live Avalanche networks (Mainnet and Fuji testnet). Reproduce exploits in a local private network — that is exactly what this repo is for.
Please refer to the Bug Bounty page for the most up-to-date program rules and scope.
Please use the latest commit on main when validating security issues.