security · last updated 2026-05-15

Security & vulnerability disclosure

Ropil is a non-custodial swap interface — the worst-case impact of a frontend or infrastructure compromise is theft of user funds via a tampered transaction payload, account takeover via phishing, or exposure of routing telemetry. We take security reports seriously and want to hear from you.

How to report

Email helloropil+security@proton.me.

Plain email is fine — TLS via ProtonMail covers transport encryption end-to-end for any sender on a TLS-capable mail server (effectively every modern provider). No PGP key required.

Please include:

• A clear description of the issue and its impact.
• Reproduction steps — exact URL, request, payload, and observed response.
• Affected version (commit SHA visible in the page footer or /api/health).
• Your preferred handle for credit (or anonymous if you prefer).

Response expectations

• Acknowledgment: within 72 hours.
• Triage & severity assignment: within 7 days.
• Fix or mitigation timeline: communicated after triage. Critical issues — same week. High — 14 days. Medium — 30 days. Low — best effort.
• Public disclosure: coordinated with you. Default 90 days from initial report, sooner with mutual agreement.

Scope

In scope:

• ropil.xyz, app.ropil.xyz, mcp.ropil.xyz and all sub-paths.
• The Ropil MCP server (github.com/ropil/ropil-mcp-server, when public).
• The Ropil web app source (github.com/ropil/ropil-app, when public).
• Infrastructure misconfigurations affecting the above (CSP bypass, missing security headers, exposed admin endpoints, leaked secrets in HTML or JS bundles, server-side request forgery in API routes).
• Affiliate-fee tampering — anything that could redirect Ropil’s 30 bps affiliate fee to an attacker address.
• Supply-chain compromise vectors specific to Ropil’s build (typo-squatted packages, malicious post-install scripts, lockfile tampering).

Out of scope:

• Issues in upstream protocols Ropil routes through — LiFi, Relay, THORChain. Report those to the respective projects.
• User wallet vulnerabilities (MetaMask, Rabby, etc.). Report those to the wallet vendor.
• Volumetric DDoS, traffic flooding, or rate-limit bypass without a clear path to material harm.
• Self-XSS that requires the victim to paste arbitrary code into their own console.
• Reports based solely on automated scanner output (Nessus, Acunetix, etc.) without a working PoC.
• Missing security headers without a demonstrated exploitation path (e.g. X-Frame-Options on a page that doesn’t embed sensitive UI).
• Best-practice violations without exploit (e.g. cookies without SameSite=Strict when no cookies are set).
• Spam, social engineering, and phishing of Ropil staff or users (we have no user accounts to phish).
• Physical attacks on Ropil infrastructure.

Bounty

Ropil is bootstrapped and currently does not offer monetary rewards. We do offer:

• Public credit on this page’s hall of fame (or anonymous if preferred).
• A signed swag voucher (sticker pack, T-shirt) for valid medium+ severity reports.
• If we have a successful first year and Ropil generates revenue, a retroactive bounty pool will be established and previously valid reports re-considered.

Safe harbor

We will not pursue civil or criminal action against researchers who:

• Make a good-faith effort to comply with this policy.
• Avoid privacy violations, data destruction, and service degradation during testing.
• Use test accounts and de minimis swap amounts on real chains, or testnets where supported.
• Do not exfiltrate or retain user data beyond what is needed to demonstrate the issue.
• Give us reasonable time to remediate before public disclosure.

If a third party initiates legal action against you for activity conducted in compliance with this policy, we will make it known publicly that your actions were authorized.

Hall of fame

No reports yet — be the first.

See also: security.txt · privacy policy · terms