Responsible Disclosure
If you discover a security vulnerability in Rome Protocol, please report it responsibly.
Reporting
Open a ticket in the Rome Discord — use the ticket channel to reach the core team privately.
What to include:
Description of the vulnerability
Steps to reproduce
Potential impact assessment
Your contact information for follow-up
Guidelines
Do not publicly disclose the vulnerability before a fix is deployed
Do not exploit the vulnerability beyond what is necessary to demonstrate it
Do not access or modify data belonging to other users
Allow reasonable time for the team to investigate and fix the issue
Scope
In scope:
Rome EVM on-chain program
Rome Proxy, Hercules, Rhea services
Rome Solidity SDK and contract libraries
Oracle Gateway adapters
Meta-Hook Router
Bridge contracts (ERC20SPL, Factory, Registry)
Out of scope:
Third-party dependencies (report to their maintainers)
Social engineering attacks
Denial of service against testnet/devnet infrastructure
Issues in deprecated or archived repositories
Community
Last updated
Was this helpful?