> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ifalabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Report a Vulnerability

> How to responsibly disclose security vulnerabilities in IFÁ Labs oracle contracts and infrastructure — channels, guidelines, and what to expect.

IFÁ Labs takes security seriously. If you believe you have discovered a vulnerability in the oracle contracts, the relayer infrastructure, the MCP server, or any other component of the IFÁ Labs system, we want to hear from you immediately through the appropriate channels.

Responsible disclosure protects every protocol building on IFÁ Labs infrastructure. A vulnerability left unreported — or disclosed publicly before a fix is deployed — puts real funds at risk.

***

## Reporting Channels

Use the channel that matches the severity of what you've found.

### Critical and High Severity

For vulnerabilities that could result in loss of funds, price manipulation, or contract exploitation:

**Email — preferred for sensitive disclosures:**

<Card title="support@ifalabs.com" icon="envelope" href="mailto:support@ifalabs.com">
  Use this address for all critical and high severity reports. Encrypted communication is available on request — contact us first and we will arrange a secure channel.
</Card>

Do not disclose critical vulnerabilities in public channels, Discord, Telegram, or GitHub issues. Public disclosure before a fix is deployed puts protocols and users at immediate risk.

***

### Low and Informational Severity

For low-severity issues, documentation errors, or non-exploitable findings:

<CardGroup cols={2}>
  <Card title="GitHub Issues" icon="github" href="https://github.com/IFA-Labs/oracle_contract/issues/new">
    Open a private or public issue. Use the Bug Report template. Include reproduction steps and affected component.
  </Card>

  <Card title="Telegram" icon="message" href="https://t.me/ifalabs">
    Reach the team directly for questions about whether a finding warrants a formal report.
  </Card>
</CardGroup>

***

## What to Include in Your Report

A well-structured report enables faster triage and resolution. Include as much of the following as possible:

**Required:**

* Clear description of the vulnerability and its potential impact
* The affected component — contract address, function name, or infrastructure component
* Steps to reproduce the issue
* The network where the vulnerability was observed or can be demonstrated

**Strongly recommended:**

* Proof-of-concept code or transaction — use testnets where possible, never exploit on mainnet
* The block number or transaction hash of any relevant on-chain state
* Your assessment of severity and exploitability
* Any suggested fix or mitigation

**Optional but appreciated:**

* Your name or handle for attribution in the fix acknowledgement
* Whether you want to be credited publicly or anonymously

***

## Responsible Disclosure Guidelines

By reporting a vulnerability to IFÁ Labs, you agree to the following:

**Do:**

* Report privately through the channels above before any public disclosure
* Use testnets for proof-of-concept demonstrations wherever possible
* Allow reasonable time for the team to investigate, develop a fix, and deploy before going public
* Keep the details of your report confidential until a fix has been deployed and announced

**Do not:**

* Exploit the vulnerability on mainnet beyond the minimum required to demonstrate it
* Access, modify, or exfiltrate data beyond what is necessary to demonstrate the issue
* Disclose the vulnerability publicly — including social media, Discord, or conference talks — before coordinating with IFÁ Labs
* Conduct denial-of-service testing against live infrastructure

***

## Our Commitments to You

When you submit a responsible disclosure report, IFÁ Labs commits to:

| Commitment                                    | Timeline                               |
| --------------------------------------------- | -------------------------------------- |
| Acknowledge receipt of your report            | Within 48 hours                        |
| Provide an initial severity assessment        | Within 5 business days                 |
| Keep you updated on investigation progress    | Weekly, or on significant developments |
| Notify you before public disclosure           | Before any fix announcement            |
| Credit you in release notes (with permission) | At time of public disclosure           |

We will not take legal action against researchers who discover and report vulnerabilities in good faith following these guidelines.

***

## Severity Classification

Use this guide to self-assess the severity of your finding before reporting. Include your assessment in the report — the team will independently verify it.

| Severity          | Description                                                    | Examples                                                                                       |
| ----------------- | -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| **Critical**      | Direct loss of funds or complete price feed compromise         | On-chain price manipulation, unauthorized price writes, contract drain                         |
| **High**          | Significant impact on feed reliability or protocol safety      | Relayer manipulation, sustained staleness attack, depeg event suppression                      |
| **Medium**        | Limited impact with specific preconditions                     | Edge case in derived pair calculation, non-standard input handling                             |
| **Low**           | Minor issue with negligible exploitability                     | Inefficient logic, misleading error messages, documentation inconsistency in contract comments |
| **Informational** | No security impact — code quality or best practice observation | Unused variables, naming inconsistencies, gas inefficiency                                     |

***

## Scope

### In Scope

The following components are in scope for vulnerability reports:

* **Oracle smart contracts** — all deployed contracts at addresses listed in [Contract Addresses](/contract-addresses)
* **Relayer infrastructure** — any vulnerability in the price submission pipeline
* **MCP server** — the `@ifalabs/mcp-server` npm package and its dependencies
* **Interface package** — the `ifapricefeed-interface` npm package
* **Price aggregation logic** — any vulnerability in source collection, outlier detection, or consensus calculation
* **IFÁ Labs official documentation** — factual errors that could cause developers to implement insecure integrations

### Out of Scope

The following are explicitly out of scope:

* Theoretical attacks with no practical exploitability on current deployments
* Vulnerabilities in third-party dependencies that are not directly exploitable via IFÁ Labs components
* Social engineering attacks against IFÁ Labs team members
* Physical security of infrastructure
* Denial-of-service attacks against the public RPC endpoints
* Findings already documented in the [AdForensics Audit Summary](/ad-forensics-audit-summary)

***

## Bug Bounty

<Note>
  A formal bug bounty program is under development. Details on scope, reward tiers, and submission platform will be announced via [@ifalabs](https://x.com/ifalabs) and the [Telegram](https://t.me/ifalabs). Until the program launches, critical and high severity findings submitted through responsible disclosure will be reviewed for discretionary rewards based on impact and quality of the report.
</Note>

***

## Public Acknowledgements

IFÁ Labs publicly acknowledges security researchers who responsibly disclose vulnerabilities — with their permission. Researchers who have contributed to IFÁ Labs security will be listed here as findings are resolved and disclosed.

*No public acknowledgements yet — the program is new.*

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Data Integrity Mechanisms" icon="shield" href="/data-integrity-mechanisms">
    Understand the technical layers protecting IFÁ Labs price accuracy.
  </Card>

  <Card title="AdForensics Audit Summary" icon="shield-check" href="/ad-forensics-audit-summary">
    Review the full audit results for the deployed oracle contracts.
  </Card>
</CardGroup>
