Security & Responsible Disclosure

Last updated: April 20, 2026

Reporting a vulnerability

If you believe you've found a security issue that affects ChainContext, please email security@chaincontext.dev. Include a clear description, reproduction steps, and — where applicable — proof-of-concept code or payloads. If the issue is sensitive, let us know and we'll share a PGP key.

We acknowledge every report within 2 business days and aim to provide an initial assessment within 5 business days.

In scope

  • chaincontext.dev (marketing site)
  • app.chaincontext.dev (dashboard)
  • api.chaincontext.dev (public API)
  • *.chaincontext.dev user-deployed MCP servers (runtime infrastructure only, not user configurations)
  • Supporting infrastructure (auth, billing, registry publishing)

Out of scope

  • Issues in third-party services we rely on (Supabase, Stripe, Resend, Upstash, Cloudflare). Report to the vendor directly.
  • Self-XSS, clickjacking on non-sensitive pages, and missing security headers with no demonstrated impact.
  • Rate-limit bypasses that cause no privilege escalation or data exposure.
  • Denial-of-service via volumetric attacks or resource exhaustion.
  • Social engineering of ChainContext staff or users.
  • Physical attacks.
  • Vulnerabilities in user-authored smart contracts or user-uploaded content — that's the responsibility of the project owner.

Safe harbor

We will not pursue legal action against good-faith security research that:

  • Does not violate user privacy or disrupt service for other users.
  • Does not access, modify, or delete data beyond what is necessary to demonstrate the issue.
  • Uses only test accounts you control.
  • Keeps findings confidential until we've had time to remediate.

If your research unintentionally breaks one of the above, tell us what happened. We'd rather know and work with you than learn about it later.

Bug bounty

We do not currently run a paid bug bounty program. We're a young company and we're honest about that. We will publicly credit researchers in our security acknowledgements (with your permission) and — as we grow — move toward a formal rewards program.

Machine-readable contact

Our security.txt provides the canonical contact address for automated discovery.