RESPONSIBLE DISCLOSURE · ACTIVE BOUNTY

Help Us Break It First

The Federation's security posture is a matter of public record. Our smart contracts will be audited before they ship. Our operational surface — Telegram admins, DNS, website, API, social accounts — is where the real attacks happen. That's why we pay researchers to find the gaps.

RED-TEAM BOUNTY

The Federation Red-Team Program

Most DeFi bug bounties cover smart contract vulnerabilities. Ours starts earlier — with the operational attack surface that accounts for the majority of crypto losses in 2026. Paid in $GFOF.

Why this program exists. Most crypto losses in 2026 do not come from exploited smart contracts. They come from phishing Telegram admins, DNS hijacks, cloned landing pages, social engineering, and X impersonation. Our smart contracts are not live yet — but these attack vectors are active right now. We treat operational security with the same rigor we intend to apply to our on-chain code.

CRITICAL
$500 in $GFOF
DNS hijack attempts successfully caught, active phishing sites using our branding, successful social engineering of a team admin, verified private key exposure, or any vulnerability that could enable direct theft of user funds once lending is live.
HIGH
$250 in $GFOF
Cloned landing pages, verified Telegram/Discord admin impersonation attempts, X account takeovers of affiliated accounts, working XSS on galacticfederation.co, or leaked credentials tied to any federation-owned service.
MEDIUM
$100 in $GFOF
Identified copycat tokens, typosquat domains, impersonation accounts not already known to us, open redirect vulnerabilities on our web surface, or CSP bypasses allowing phishing payload injection.
LOW
$50 in $GFOF
Minor information disclosure, subdomain takeover opportunities, misconfigured headers with demonstrable risk, or well-documented OSINT findings that reveal accidental exposure of federation infrastructure.
PROGRAM SCOPE

In Scope / Out of Scope

✓ IN SCOPE
galacticfederation.co · all subdomains · the /app widget · the /treasury page · Netlify functions at /api/* · @GFOF_Offcial on X · t.me/GFOF_SOL · the three Streamflow lock contracts · any operational wallet published on /treasury · any federation-owned service disclosed publicly.
✗ OUT OF SCOPE
Third-party services (Solana RPC endpoints, DexScreener, Streamflow itself, Raydium, Moonshot) — report to their own programs. Attacks requiring privileged physical access to a team member's hardware. DDoS or rate-limit attacks. Vulnerabilities requiring severely outdated or unpatched user software. Any test that requires unauthorized access to other users' wallets, funds, or personal data.
✓ RULES OF ENGAGEMENT
Do not exploit the finding beyond what is necessary to prove it. Do not publish the finding until we have confirmed and remediated it. Do not access, modify, or destroy data belonging to any user. Do not use findings to extort, blackmail, or otherwise harm the federation or its community. Violations void the bounty and may result in legal action.
✗ NOT ELIGIBLE
Theoretical findings without proof of exploitability. Duplicates of already-reported issues. Self-XSS. Missing security headers without demonstrated impact. Reports generated solely by automated scanners with no validation. Any report from a researcher under 18 or from a jurisdiction sanctioned by the US, UK, or EU.
REPORT A FINDING

Responsible Disclosure

We commit to acknowledging every valid report within 72 hours, providing a triage decision within 7 days, and paying out verified bounties within 14 days of remediation.

Step 1. Draft a clear writeup. Include: (a) the vulnerability class, (b) reproduction steps, (c) proof of exploitability, (d) your suggested severity and requested bounty tier, (e) whether you want public credit.

Step 2. Send it via DM to @WelksCrypto on X or to the Telegram admin of t.me/GFOF_SOL. If the finding is sensitive enough that it cannot pass through an unencrypted channel, request a PGP key and we will provide one.

Step 3. Do not publicly disclose the finding until we confirm remediation. If we do not respond within 7 days, you are free to escalate by publishing a non-exploitable summary and requesting public response.

Step 4. Once remediated, payout is made in $GFOF to a Solana wallet of your choice. USD equivalent locked at the moment the finding is confirmed. If you prefer alternative compensation (anonymous credit, donation to a charity of your choice), we will accommodate.

Primary contact@WelksCrypto on X · admins in t.me/GFOF_SOL
Response SLA72 hours to acknowledge · 7 days to triage · 14 days to pay
RECOGNITION

Hall of Honor

Researchers who have disclosed verified findings are credited here with their permission. The list is public because trust in a security process is itself a feature.

No findings reported yet. Be the first. The list is permanent.

MACHINE-READABLE

/.well-known/security.txt

Per RFC 9116, we publish a standard security.txt so researchers and automated scanners can find our disclosure policy programmatically. It lives at galacticfederation.co/.well-known/security.txt.

# Galactic Federation of Finance — security.txt (RFC 9116) # Canonical URL: https://galacticfederation.co/.well-known/security.txt Contact: https://x.com/WelksCrypto Contact: https://t.me/GFOF_SOL Expires: 2027-04-20T00:00:00.000Z Preferred-Languages: en Canonical: https://galacticfederation.co/.well-known/security.txt Policy: https://galacticfederation.co/security Acknowledgments: https://galacticfederation.co/security#hall-of-honor
galacticfederation.co · Treasury · Corrections · Liquidation Spec · X / Twitter · Telegram
Galactic Federation of Finance — $GFOF on Solana. Not financial advice. Always DYOR.
v11.0 · security · deployed 2026-04-20