Bug bounty · safe harbor

Find something. Tell us before you tell anyone else.

Meridian operates a public bug-bounty program with payouts of up to $1,000,000 for critical findings in production smart contracts. Researchers acting in good faith are protected under our safe-harbor policy. We confirm receipt within 24 hours and target initial triage within 72 hours.

Submit a finding View scope →

01 — Severity & payouts Per finding · in USD₮

Critical

Loss of funds

up to $1,000,000

Direct theft, freeze, or unauthorized transfer of client principal. Exploits requiring no privileged access. Bypass of multisig authorization.

High

Authorization bypass

up to $250,000

Bypass of policy verifier, signing boundary violation, replay across environments, oracle manipulation within tolerance band.

Medium

Operational impact

up to $50,000

Denial-of-service against executor, indexer divergence not caught by multi-source check, reconciliation incorrectness, audit-log tampering.

Low

Hardening

up to $10,000

Information disclosure, misconfiguration, leaks of non-sensitive metadata, minor issues in SDK or console without direct funds impact.

Final payout is determined by the security council based on impact, exploitability, novelty, and quality of the report. Reports with proof-of-concept code, suggested remediation, and clear reproduction steps are paid at the upper end of each band.

02 — Scope What is in and out

In scope

Smart contractsTreasury executor · policy verifier · vesting · $MRD jetton
SDK@meridian/sdk v0.3+ on npm
HTTP APIapi.meridian.fi/v1
Consoleconsole.meridian.fi
WebhooksSigning, replay protection, delivery integrity

Out of scope

Marketing sitemeridian.fi (this site) — unless funds-impacting
Third-party servicesSumsub, Chainalysis, Fireblocks, Notabene — report to the upstream vendor
DependenciesIssues in unmodified upstream OSS — please file there
Social engineeringPhishing of staff or clients · physical attacks · DoS
Theoretical issuesWithout practical exploit path

03 — Rules of engagement What we ask

No client harmDo not access, modify, or destroy data belonging to clients. Do not interrupt production services. Do not move funds.
Test in staging firstA fully mirrored staging environment is available on request. We will provision a sandbox workspace within 48 hours.
No public disclosure before fixCoordinated disclosure only. Once a fix ships, we coordinate timing for any public write-up — typically 30 days.
Single reportOne issue per report. Combining unrelated findings makes triage slower.
Reproducible PoCWorking proof-of-concept against a contract address or HTTP endpoint. Bonus payout for a clean reproduction harness.

04 — Safe harbor Legal protection for good-faith research

Acting under this policy means we will not pursue you.

If you make a good-faith effort to comply with the rules of engagement, Meridian Treasury Ltd. and its affiliates will:

Consider your research authorized under the relevant computer-fraud and anti-circumvention laws.
Not pursue civil action or report you to law enforcement for incidental violations of those laws that occur in the course of your research.
Treat your report as confidential and credit you (with your consent) once a public write-up is appropriate.
Coordinate with you on disclosure timing rather than impose a unilateral deadline.

If a third party initiates legal action against you and you have complied with this policy in your research on Meridian, we will make this known. This safe-harbor commitment applies only to actions taken under this program; unrelated actions are not covered.

05 — Submit a finding Two channels

Email or Immunefi.

For most findings, email is fastest. For research where you would prefer formal escrow and a published bounty, file via Immunefi. Both channels are read by the same security team within the same SLA.

Emailsecurity@meridian.fi · PGP fingerprint 3F2A 8B91 D4E7 1C66 0AB2 5DCE 7F40 9183 4A2C E1B5
Immunefiimmunefi.com / meridian-protocol →
SLA · acknowledgement24 hours from receipt
SLA · initial triage72 hours from receipt
SLA · payoutWithin 14 days of fix confirmation

Payouts settle in USD₮ on TON to a wallet address you specify in your report. The security council can substitute USD via wire to a registered counterparty if requested. Withholding obligations may apply depending on your jurisdiction.

Help us make Meridian harder to break.

The bounty exists because we would rather pay a researcher than a recovery firm. If you found something, the path is short.

Submit a finding Read the security disclosure