MAINNET· em operação desde 2020BLOCO #32,731,548FINALIDADE 5.00sOPS / BLOCO 0VALIDADORES 11 · 5 ORG.TOTAL XBN 369B XBNEM CIRCULAÇÃO 74.10B XBNCONSENSO HFBA · FINALIDADE 3–5sMAINNET· em operação desde 2020BLOCO #32,731,548FINALIDADE 5.00sOPS / BLOCO 0VALIDADORES 11 · 5 ORG.TOTAL XBN 369B XBNEM CIRCULAÇÃO 74.10B XBNCONSENSO HFBA · FINALIDADE 3–5s
Bantu
Legal · Security

Responsible disclosure.

The Bantu Blockchain Foundation takes security seriously. If you've discovered a vulnerability in our protocol, infrastructure, or applications, please disclose it through this policy — and we'll work with you to fix it.

Report a vulnerability →

What we cover.

  • The Bantu protocol (blockchain-core)
  • EXPANSION API (expansion.bantu.network, expansion-testnet.bantu.network)
  • Bantu Explorer (explorer.bantu.network)
  • Bantu Dashboard (dashboard.bantu.network)
  • Bantu Laboratory (laboratory.bantu.network)
  • Tokenize.Bantu (tokenize.bantu.network)
  • BantuPay mobile applications
  • bantufoundation.org and its subdomains

What we commit to.

Response
Within 48 hours

Initial acknowledgement of receipt. We follow up with assessment within 7 days.

Coordination
We work with you

On disclosure timeline. Default 90 days from report to public disclosure; longer for severe protocol-level issues requiring coordinated upgrades.

Credit
By your preference

Public credit, anonymous, or pseudonymous. We respect your choice.

Recognition
Hall of fame + bounties

Material protocol vulnerabilities qualify for bug bounties paid in XBN. Hall of fame on this page for all valid disclosures.

Out of scope.

  • Social engineering of Foundation contractors or community members
  • Physical access to Foundation hardware
  • Denial-of-service or volumetric attacks on public endpoints
  • Issues in third-party RPC providers, wallets, or exchanges (please report to them directly)
  • Findings already disclosed in our public GitHub issues or change logs

How to report

  1. Email security team with a clear description of the issue, reproduction steps, and (where possible) suggested remediation.
  2. PGP encryption available on request — let us know in your first email and we'll share our public key.
  3. Please do not file public issues for protocol-level or infrastructure vulnerabilities. Coordinate via email until we agree on disclosure timing.
  4. Avoid testing against production data, accessing other users' accounts, or causing service disruption during your research.