Hemi is a modular blockchain built for superior scaling, security and interoperability.

At Hemi Labs, we consider security a fundamental part of our network. We value the security of our network and our users, however no matter how much effort we put into security, there could still be vulnerabilities hiding.

If you discover vulnerabilities in Hemi, we encourage responsible disclosure of the vulnerability so that we can take steps to resolve the vulnerability as quickly as possible. We ask you to help us better protect Hemi and our users by reporting vulnerabilities through HackerOne.

HackerOne is our only official vulnerability reporting platform, and allows us to triage and respond to vulnerability reports in a secure and fast manner. If you want to report a vulnerability, please report it through HackerOne. - Emails to Hemi Labs team members are not an acceptable way of reporting vulnerabilities.

Program Rules

We consider security a fundamental part of the Hemi Network. We appreciate your help in securing Hemi.

Disclosure policy

• Please do not discuss any vulnerabilities outside of the program without express consent from Hemi Labs.
• Follow HackerOne's disclosure guidelines.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).

Researching

• Do not impact other users with your testing, this includes testing against wallet addresses or accounts you do not own, disrupting block production or preventing transactions from being processed.
• Do not blindly submit reports with outputs from an automated testing tool that you have not manually verified.
• When testing HTTP requests, you MUST include a X-HackerOne-Research: [H1 username] header with your HackerOne username.
• If you need to create an account with an email address, please use your HackerOne email alias (@wearehackerone.com) email address to make the account identifiable.

The following is NEVER allowed

• Directly attacking or impacting Hemi users.
• Distributed Denial of Service (DDoS) attacks.
• Exploiting rate limiting.
• Spamming content or requests.
• Large-scale automated vulnerability scanning or automated tools that produce excessive amounts of traffic.
• Attacking Hemi Labs employees, contractors or our support/moderation teams (attempts at social engineering).

Reporting vulnerabilities

When reporting a vulnerability, the more information you can provide, the faster we can triage and confirm the reported vulnerability. Reports with clear and concise reproduction steps and screenshots are highly valued.

In order to protect Hemi and our users, do not reveal vulnerabilities to others until we have researched, addressed and disclosed a vulnerability. We will consider disclosing vulnerabilities on a case-by-case basis.

If you wish to publicly share your research or vulnerability, you should request disclosure, share a draft with us for review and approval at least 30 days prior to publishing any such information.

Thank you for helping keep Hemi and our users safe!