ArkenaARKENA/docs

Arkena Docs

Security disclosure

How to report a vulnerability in the Arkena wallet, marketplace, or swap. Scope, safe harbor, and response timelines.

We take security seriously. If you've found a vulnerability that affects Arkena users — the wallet extension, the marketplace, the swap, or the backend — we want to hear about it before anyone else does.

This page is the canonical disclosure policy linked from /.well-known/security.txt on every Arkena domain.

How to report

Please do not open a public GitHub issue, post on X, or share the finding in a public Discord/Telegram channel before we've had a chance to respond. Coordinated disclosure protects users.

We aim to acknowledge new reports within 5 business days and to share a first triage response (severity assessment + next steps) within 10 business days. Critical issues affecting funds or self-custody are escalated immediately.

What's in scope

The following surfaces are in scope for responsible disclosure:

  • Arkena Wallet extension (wallet.arkena.io and the Chrome Web Store listing) — key handling, password derivation, seed phrase storage, signing flows, content script injection, popup UI.
  • Marketplace (arkena.io) — auth, signing prompts, NFT listing and purchase flows, royalty handling, oracle pricing.
  • Swap (arkena.io/swap) — intent submission, quote matching, settlement, partial fills, allocation re-locking.
  • Backend API — REST endpoints under api.arkena.io, authentication (SIWC, JWT), rate limits, CORS.
  • Daml contracts — signatory/observer cascade, choice authorization, allocation lifecycle, fee accounting.
  • Documentation (docs.arkena.io) — XSS, content injection in user-supplied search params.

What's out of scope

  • Third-party services we depend on but don't operate (Canton Network validators, Splice nodes, Vercel infrastructure, Supabase, Grafana). Report these to the operator directly.
  • Social engineering of Arkena employees or users.
  • Physical attacks on devices or offices.
  • Denial-of-service attacks that require flooding.
  • Findings from automated scanners without a working proof-of-concept (CVSS-only reports).
  • Issues in browsers, operating systems, or the Canton Network protocol itself — we'll happily forward, but they're not ours to fix.
  • Self-XSS that requires the victim to paste code into devtools.
  • Missing security headers without an exploit chain — we welcome hardening suggestions, but they're not bounty-eligible.

Safe harbor

We will not pursue legal action against researchers who:

  1. Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services;
  2. Only interact with accounts you own or have explicit permission to test;
  3. Do not exploit the issue beyond what's necessary to confirm it exists;
  4. Give us reasonable time to respond before any public disclosure (default: 90 days, or until a fix ships, whichever is sooner);
  5. Comply with all applicable laws.

If you're unsure whether your testing falls within these guidelines, email us first and we'll clarify.

Bug bounty

In the meantime, valid reports receive:

  • Public credit in our security acknowledgments (below), with your handle and a link of your choosing — opt out if you prefer.
  • Direct line to the engineering team for follow-up findings.

Public disclosure

After a fix ships, we publish a brief writeup that includes:

  • What was vulnerable and how
  • Who reported it (with permission)
  • What changed
  • Whether any user funds or data were affected

We aim to publish within 30 days of the fix. If the issue is part of a larger ongoing investigation, we may delay disclosure and will keep the reporter informed.

Acknowledgments

This list will populate as we receive reports. If you've reported a vulnerability and want your name removed or changed, email us.

This policy is versioned with the Arkena docs. Changes are reviewed on the date stamped at the top of this page. The canonical machine-readable contact endpoint is /.well-known/security.txt per RFC 9116.