Vulnerability Disclosure Policy
Effective Date: July 1, 2025
Version: 1.0
1. Introduction
Noders LLC ("Noders," "we," "us," or "our") is committed to maintaining the highest standards of security across our blockchain infrastructure services, staking platforms, and digital products. As professional validators operating across 40+ blockchain networks for over 4 years, we recognize that responsible security research and coordinated vulnerability disclosure are essential components of maintaining robust cybersecurity in the Web3 ecosystem.
This Vulnerability Disclosure Policy (VDP) provides clear guidelines for security researchers, ethical hackers, and members of the cybersecurity community to report potential vulnerabilities in our systems safely and responsibly. We welcome and encourage the security community to help us identify and address security vulnerabilities to protect our infrastructure, users, and the broader blockchain ecosystem.
2. Scope
This policy applies to the following Noders LLC systems, products, and services:
In-Scope Systems:
Main Website: noders.team
Services Platform: noders.services
Application Platforms: Such are (but not limited) solpulse.org, celestiahub.org, ipstoryhub.org etc.
Staking Platform: (when launched)
API Services: All public-facing APIs
Web Applications: All customer-facing applications and dashboards
Infrastructure Services: Public-facing infrastructure components
Blockchain Networks:
Vulnerabilities related to our validator operations on:
Sui, Ethereum, Solana, Story, Berachain, Celestia, Namada, Nillion, Avail, LIDO SSV, NYM, Humans AI, Sophon, ZetaChain, Ava, Supra, Andromeda, Haqq, and other networks we validate.
Third-Party Services:
Framer-hosted website components
Google Analytics implementation
Contact forms and data collection systems
3. Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We commit to:
Working with you to understand and resolve the issue promptly
Not recommending or pursuing legal action related to your research
Protecting your identity if you wish to remain anonymous
Providing public acknowledgment if you consent to disclosure
Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known and support your defense where possible.
4. Research Guidelines
Under this policy, "research" means activities in which you:
Permitted Activities:
Test systems and services explicitly listed in our scope
Notify us immediately upon discovering a real or potential security issue
Make every effort to avoid privacy violations and data compromise
Use exploits only to the extent necessary to confirm a vulnerability's presence
Provide us reasonable time to resolve issues before public disclosure
Follow responsible disclosure practices
Mandatory Requirements:
Stop immediately once you've established that a vulnerability exists
Do not access, modify, or delete any data belonging to Noders or our users
Do not access, modify, or delete any data belonging to other users or third parties
Notify us immediately if you encounter sensitive data during your research
Do not disclose vulnerability details to anyone else without our written consent
5. Prohibited Activities
The following activities are strictly prohibited and may result in legal action:
Denial of Service (DoS/DDoS) attacks or resource exhaustion
Social engineering of employees, contractors, or users
Physical attacks against our property or personnel
Spam or automated submission of low-quality reports
Data exfiltration or unauthorized data access
Disruption of staking operations or validator services
Interference with blockchain consensus mechanisms
Destruction or modification of any data
Installation of malware or persistent access tools
Testing of third-party services not owned by Noders
Brute force attacks against authentication systems
Excessive network traffic that may impact service availability
6. Out-of-Scope Areas
The following are considered out-of-scope and not eligible for possible rewards:
Technical Exclusions:
Issues in third-party services not controlled by Noders
Social engineering attacks
Physical security issues
GDPR/privacy-related concerns (use privacy@noders.team)
Theoretical vulnerabilities without proof of concept
Issues requiring physical access to our facilities
Known vulnerabilities already disclosed or patched
Blockchain-Specific Exclusions:
Issues inherent to blockchain protocols themselves
Smart contract vulnerabilities in protocols we validate (report to respective projects)
Network-level attacks requiring significant resources
Issues related to blockchain reorganizations or forks
Low-Priority Issues:
Missing security headers without demonstrated impact
Self-XSS vulnerabilities
Clickjacking on pages without sensitive content
Disclosure of publicly available information
Email spoofing without additional impact
SSL/TLS configuration issues without demonstrated vulnerability
7. Reporting Process
Contact Information:
Primary Contact: security@noders.team
Alternative Contact: tech@noders.team
(mark subject: "SECURITY VULNERABILITY")
Encryption
All vulnerability reports must be encrypted using our GPG public key for confidentiality:
Required Information:
Your report must include:
Contact Information (if not submitting anonymously)
Vulnerability Type (e.g., XSS, SQL injection, RCE, authentication bypass)
Affected Systems (specific URLs, services, or components)
Detailed Description of the vulnerability
Steps to Reproduce with clear, numbered instructions
Proof of Concept (screenshots, videos, or code snippets)
Potential Impact assessment
Timeline of discovery
Suggested Mitigations (if known)
Report Quality Standards:
Provide clear, detailed instructions for reproduction
Include visual evidence when possible
Avoid automated scanning tool output without verification
One vulnerability per report for efficient processing
Use English for all communications
8. Our Response Process
Initial Response:
Acknowledgment: Within 48 hours of receipt
Initial Assessment: Within 5 business days
Regular Updates: At least every 14 days until resolution
Severity Assessment:
We use the Common Vulnerability Scoring System (CVSS v3.1) to assess severity:
Critical (9.0-10.0): Immediate response required
High (7.0-8.9): Response within 72 hours
Medium (4.0-6.9): Response within 1 week
Low (0.1-3.9): Response within 2 weeks
Resolution Timeline:
Critical: 24-72 hours
High: 1-2 weeks
Medium: 2-4 weeks
Low: 4-8 weeks
9. Coordinated Disclosure
Disclosure Timeline:
We request a 90-day disclosure window to resolve issues before public release. For critical vulnerabilities with active exploitation risk, we may expedite resolution and coordinate an earlier disclosure timeline.
Public Disclosure:
We will coordinate with you on the timing of public disclosure
Security advisories will be published on our website
Researchers will be credited unless they prefer anonymity
We may publish technical details to help the community
10. Recognition and Rewards
Acknowledgment:
Public recognition on our security page (with consent)
Letter of appreciation for significant findings
Potential Noders merchandise or swag
Reference letter for security professionals (upon request)
Non-Monetary Program:
This is not a bug bounty program. We do not offer monetary rewards but deeply appreciate responsible disclosure and may provide non-monetary recognition for valuable contributions.
11. Legal Safe Harbor
Noders LLC will not pursue legal action against security researchers who:
Act in good faith and comply with this policy
Do not violate any applicable laws
Do not access, modify, or delete user data
Report vulnerabilities promptly and confidentially
Follow our coordinated disclosure process
12. Data Protection and Privacy
Information Handling:
All vulnerability reports are treated as confidential
Reporter information is protected according to GDPR and applicable privacy laws
Data is retained only as long as necessary for security purposes
Third-party disclosure requires explicit consent
Anonymous Reporting:
Anonymous reports are accepted and encouraged
We do not require personally identifiable information
Use secure communication channels and encryption
13. ISO 27001 Compliance
As part of ISO 27001:2022 certification process, this policy aligns with:
A.16.1.2 Reporting information security incidents
A.8.8 Management of technical vulnerabilities
A.13.2.1 Information transfer policies and procedures
14. Updates and Changes
This policy may be updated periodically to reflect:
Changes in our systems and services
Evolution of security practices
Regulatory requirements
Community feedback
Updates will be posted on our website with effective dates clearly marked.
15. Contact and Questions
Primary Contacts:
Security Team: security@noders.team
General Questions: tech@noders.team
Privacy Concerns: privacy@noders.team
Security.txt File:
This policy is referenced in our security.txt file at: https://noders.team/.well-known/security.txt
Business Information:
Noders LLC
Exempted Company incorporated in the Cayman Islands with Limited Liability
Website: https://noders.team
Industry: Blockchain Infrastructure & Validation Services
ACKNOWLEDGMENTS
WE SINCERELY THANK THE SECURITY COMMUNITY FOR HELPING PROTECT THE NODERS ECOSYSTEM AND THE BROADER WEB3 INFRASTRUCTURE. YOUR RESPONSIBLE DISCLOSURES CONTRIBUTE TO A MORE SECURE DECENTRALIZED FUTURE.
FOR IMMEDIATE SECURITY CONCERNS OR QUESTIONS ABOUT THIS POLICY, PLEASE CONTACT SECURITY@NODERS.TEAM.
This document represents our commitment to security transparency and collaborative improvement. We reserve the right to modify this policy at any time.
