Security
Report privately. Do no harm.
If you find a security issue on a MONAD-owned public system, report it privately with the affected route, impact, reproduction steps, and safe proof. Do not access other people's data, interrupt service, or publish before review.
Allowed research
Rule 01
Public websites and authenticated app routes operated by It's A Wrap, Stowner, Spliffers, InTheCut, and TheCut.Live.
Rule 02
Security issues that can be demonstrated without accessing, changing, removing, or exposing another person's data.
Rule 03
Authentication, authorization, payment-flow, webhook, storage, and public-route issues that are reported with clear reproduction steps.
Do not do this
Rule 01
Do not run denial-of-service testing, spam, credential stuffing, social engineering, physical attacks, or harassment.
Rule 02
Do not access private user data, download bulk records, change balances, alter payment records, or attempt payout or transfer manipulation.
Rule 03
Do not test third-party services outside MONAD control unless the issue is caused by MONAD configuration.
Rule 04
Do not publicly disclose an issue before it is reviewed and resolved.
Bounty status
Rule 01
Responsible-disclosure intake can be live now.
Rule 02
Paid bounty rewards, public reward tables, and third-party bounty platform participation are not active yet.
Rule 03
Rewards stay inactive until CEO approves scope, budget, eligibility rules, and counsel/security review.